Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Encrypted disk not recognized by Windows

Created: 29 Mar 2011 | 13 comments

I have several external, USB hard drives encrypted with WDE. With one of them now, after I enter the passcode, I get a message box from Windows, "You need to format the disk in drive E: before you can use it. Do you want to format it?" Obviously, the answer to that question is No. This does not happen with my other drives. Why is this happening and what do I need to do to access this drive?

Comments 13 CommentsJump to latest comment

WDEuser's picture

Results of command line tests of problem drive:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files (x86)\PGP Corporation\PGP Desktop>pgpwde --enum
Total number of installed fixed/removable storage device (excluding floppy and CDROM): 3
Disk 0 has 1 online volumes: volume C OS is on partition 3 with offset 30801920
Disk 1 has 0 online volumes:
Disk 2 has 1 online volumes: volume I Elements 1 Tb SN 7917 is on partition 1 with offset 2048
Request sent to Enumerate disks was successful

C:\Program Files (x86)\PGP Corporation\PGP Desktop>pgpwde --disk-status --disk 1
Disk 1 is instrumented by bootguard.
  Current key is valid.
Whole disk encrypted
  Total sectors: 1953519615 highwatermark: 1953519615
Request sent to Disk status was successful

C:\Program Files (x86)\PGP Corporation\PGP Desktop>pgpwde --info --disk 1
Disk information for disk 1.
  Model Number: WD Elements 1023 USB Device
  Total number of sectors on disk: 1953519616
Request sent to Display disk information was successful

C:\Program Files (x86)\PGP Corporation\PGP Desktop>pgpwde --list-user --disk 1
Total of 1 user:
        User  0: Name: Me Type: PGP Key ID: 0x16A6CD05
System Record Information:
  Serial Number: 1
        Disk ID: WD Elements 1023 USB Device.USB.953 GB.Hal
      Disk UUID: 6a0461f4-2828-4adc-b63b-fbda1bbb139d
     Group UUID: 6a0461f4-2828-4adc-b63b-fbda1bbb139d
Request sent to List users on disk was successful
 

The problem drive is disk 1. It appears that WDE recognizes the disk, sees that it is encrypted, and knows the user and key, but does not find an online volume on it. I then went to Windows "Disk Management," which reports the disk is online and has drive letter E. In PGP Desktop, the drive is listed under PGP Disk, but does not show the drive letter.

paulhen's picture

The above indicates that the PGP portion of the disk (the encrypted contain if you will) is healthy. However, the partition table and/or file system within that container has run into an issue. This may be due to a physical problem with the disk or some other cause. I would suggest whatever data recovery / broken file system strategy you would use if the disk were not encrypted. I know there are free software recovery tools, commercial software products and data recovery services which may be of assitance in repairing/restoring the file system. One thing to keep in mind is that the file system in question isn't visible (and can't be worked on) until after you have authenticated to the disk. This pretty much means the recovery will need to be done from within Windows.

 Governments keep a lot of secrets from their people . . . Why aren't the people in return allowed to keep secrets from the government? --Philip Zimmerman, Der Spiegel

Tom Mc's picture

Might it be worth trying SpinRite?  Their tech support has advised me that it works even if the disk is encrypted. They can also provide guidance as to how to run it from a bootable flash drive.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

WDEuser's picture

Thanks guys. I'm glad to see both of you are still here!

Based on Paul's answer, I'm having fun (NOT!) with disk testing and recovery software. I've run Western Digital's diagnostics, as well as Recuva, Partition Wizard, R-Studio, GetDataBack, and iRecover, without finding any meaningful results. SMART data indicates no physical problems with the drive. Windows's Disk Management console also reports the drive is healthy, although with file system Raw. None of the recovery software has found a file system or any discernible data that indicates the drive ever held any useful files. On this basis, I can't tell whether the software is looking at unencrypted data on the drive after authentication by PGP, or is trying to figure out the meaning of the encrypted drive.

Since I have an up-to-date backup of the drive, I'm concerned not about data recovery, but about figuring out what's wrong and, if applicable, documenting a hardware failure so I can get the drive replaced under warranty. I haven't found anythng yet to explain my problem or point to a cause. Frustrating. Worse yet, since I haven't seen any evidence of useful data on the drive, I haven't been able to establish that the problem is unrelated to encryption.

I suppose I'll think about these results for a couple of days and see if I get any ideas of other things to try. If I don't figure anything out, I suppose I'll format the drive, run ChkDsk on it, re-encrypt it, put it back into service, and keep an eye out for future problems. Spin-Rite is not an option because it takes several days and nothing else can be done on the computer while it is running, a work interruption I can't afford.

I'd appreciate any comment you have on any of the above.

Thanks.

Tom Mc's picture

Just informational, in case it makes any difference:  When I used the WDE Recovery CD on this 700 GB disk, it took five days to complete.  If my memory is correct, the Spin Rite use on the same disk took less than 24 hours.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

WDEuser's picture

Okay, this should have been obvious to me from what I wrote last night. The data recovery software I'm using is looking at the bare bits on the physical drive, not on data on the other side of PGP authentication. Paul's message above suggested using "whatever data recovery / broken file system strategy you would use if the disk were not encrypted." But there appears to be a big difference here in that all the software I've found for this purpose seems to be looking at the physical drive, which means that it will work for an unencrypted disk, but not for an encrypted one. So I need a more specfic recommendation. If there is software that can do data recovery on an encrypted drive, that means it is capable of looking at data on the other side of your authentication. Does such software exist?

Tom Mc's picture

This is what I've received in a personal email from Spin Rite tech support:

"SpinRite is able to work WITH file systems that it understands and
with the raw sectors of file systems it doesn't recognize.  So
SpinRite is well able to operate on any encrypted file system
partitions . . . and to perform useful drive recovery on them."

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

WDEuser's picture

I have run SpinRite as well as seven different data recovery programs on this disk. Here is what I've found.

SpinRite estimated it was going to take about 300 hours to complete its analysis of the drive. I let it run for about 40 hours, during which time it tested 15% of the drive surface and found no problems.

Five of the data recovery programs correctly read the file structure and contents on a good, encrypted drive once it was unlocked. However, all five of these programs were unable to find any file structure or any valid files on the bad, unlocked drive.

So here is the mysterious situation: You tell me that the four PGP test results reported above (enum, status, info, and user) indicate that the encryption system on the bad drive is in good shape and that PGP is able to unlock the drive successfully. But Windows and five data recovery programs that are able to read files on a good, encrypted drive cannot find any file system, nor any good files, on the bad drive. The mystery is, what could have happened to this drive to so completely destroy all the encrypted data on it, while leaving the data used for encryption itself intact?

Just to be sure, I have repeated the four PGP tests again, all with exactly the same results as before. Are you guys completely sure that these results definitely indicate that PGP is successfully unlocking the drive? Is it possible that something got corrupted on the drive that is preventing the drive from being unlocked? Because from the results of the data recovery programs, it really does look like what is happening is that the drive is just not being unlocked.

Tom Mc's picture

Any chance this is a new large drive with a 4k sector size?  If so, you may want to check the specs for the drive to make sure.  This has come up in recent bug reports and PGP WDE is currently not compatible with sector sizes other than 512 bytes.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

WDEuser's picture

Checking the drive data, the sector size is stated as 512 b. Also, the drive was encrypted and in service successfully for about three months before it stopped allowing Windows access.

Perhaps the important question is this:

Is there a way besides those four tests above to check whether the drive has actually been unlocked and so whether unencrypted data is actually available to the operating system?

WDEuser's picture

Western Digital has agreed to replace the drive under warranty. Before getting that, I want to see if there is anything to be done to solve the mystery of what happened with this drive.

Let me recap the situation:

1. After I enter the PGP passphrase, Windows reports, "You need to format the disk in drive E: before you can use it. Do you want to format it?"

2. Four PGP test results (enum, status, info, and user) indicate that the encryption system on the drive is in good shape and that PGP is able to unlock the drive successfully.

3. Five data recovery programs (Recuva, R-Studio, GetDataBack for NTFS, EaseUS, CGsecurity) that are able to read files on another encrypted drive cannot find any file system, nor any good files, on this one.

 

So the mystery is, what could have happened to this drive to so completely destroy all the encrypted data on it, while leaving the data used for encryption itself intact?

This mystery might be solved if you can answer the following questions: Is it possible that something got corrupted on the drive that is preventing the drive from being unlocked? Is there a way besides the above four PGP tests to check whether the drive has actually been unlocked and so whether unencrypted data is actually available to the operating system? Because from the results of the data recovery programs, it really does look like what is happening is that the drive is just not being unlocked.

Any final suggsetions on this before I format the drive and return it to WD?

Thanks for your help.

PGP_Ben's picture

I would recommend to try to decrypt first. Run pgpwde --disk 1 --force --decrypt --p "passphrase of the user on the disk".

At which point, then you can run a hard drive diagnostic utility (such as Sprinrite) with a totally unecrypted disk. Which SHOULD give you the same results as what you were already seeing, but this would be 100% confirmation that everything is fine. You may also wish to run a chkdsk /f /r on the drive as well to see what you get there.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

WDEuser's picture

Okay, I tried Ben's suggestion, to decrypt. I didn't have to use DOS for that because the disk was recognized in PGP Desktop and I was able to decrypt it from there. It took about 48 hours to decrypt!

After decrypting, the behavior of the disk was exactly as before, except for not being encrypted:

1. When I plug the drive into a USB port, Windows reports, "You need to format the disk in drive E: before you can use it. Do you want to format it?"

2. I didn't bother running the PGP DOS tests. PGP Desktop now offers to encrypt the drive instead of to decrypt it.

3. I ran the four best of the data recovery programs I have (Recuva, R-Studio, GetDataBack for NTFS, EaseUS) on the drive and, as before, none of them found any file system, nor any good files, on it.

So this fits with Ben's comment above that decryption "SHOULD give you the same results as what you were already seeing," but I don't understand why he then says "this would be 100% confirmation that everything is fine." Everything is definitely not fine. I have somehow lost all the data on the disk. (There has been no loss -- everything was backed up, but the problem is to understand what happened.)

So the mystery remains, what in the world could have left the encryption data on the drive intact, so that I was able to unlock the drive and then fully decrypt it without error, and yet so utterly destroyed any sign of the data that was on the drive?

It seems obvious that there is no longer any hope of finding the answer to this question now that encryption has been removed, so that the only thing to do now is to format and return the drive to WD for replacement. However, this seems very fishy to me. I have a hard time understanding how this problem could have been caused by any kind of physical malfunction of the drive. Although I don't know how this could be, it seems more likely that PGP somehow lost track of its management of the data on the drive and turned it all to mush.

Is that impossible? Does anybody have any better idea what could possibly have happened here? I'll wait a couple of days to see if anyone has any further suggestions before I format the drive and get rid of it.

Thank you.