File Share Encryption

Hi there, well the system that I'm working with has a corrupted MBR, Windows 7 & the HDD's primary partition is encrypted using PGP. I just want to know how I can do that, I found the recovery image ISO file but how do I boot with it to decrypt the affected HDD? Thanks a lot in advance!

Hi JayShades,

A. If you have access to another machine, the ideal is to:
- make a clone of the disk
- slave the disk to a machine with PGP Desktop installed (same version, if not sure use an higher one) and copy all your data from the disk
- attempt to repair the MBR as instructed below

First step of troubleshooting an encrypted disk should always be to make a sector-by-sector (bit per bit) copy of the disk. This is to have a backup of the current state, in case there is the need to restart troubleshooting from the beggining. See https://www-secure.symantec.com/connect/forums/disk-decrypted-not-readable-through-windows

WARNING: Using a fixmbr will wipe a MBR clean. If you are unsure of other applications that are using the MBR you should create a ticket and explore if there are any other options before proceeding with this fix.  Backups should always be on hand before performing this operation as this could lead to a loss of data.   If backups have not been created you will need to make an image of your disk, and transfer that to a new drive.   Use the drive with the image for all testing and troubleshooting so that the original remains intact.

After, run the pgpwde --fixmbr and the pgpwde --recover, as instructed in this article: BootGuard loading stage 2... PGPWDE disk data are corrupted. - TECH149631.
 

B. Otherwise, please review this article: Drive Encryption Diagnosis and Recovery - Symantec Drive Encryption & PGP Whole Disk Encryption - TECH149679.
[SECTION 3 - Using Recovery Disk Images (bootg.iso or bootg.img)]

- use the same product version, if not sure use an higher one. It is a long process (16-bits) which can take days to complete. Do NOT interrupt this process, otherwise you may loose access to the data.

 

Rgs,
dcats

Thanks a lot for taking the time dcats, appreciate it!

 

So what I actually initially wanted to know was how to actually boot into the recovery image because Yumi didn't manage to write to my USB in a proper way to boot from it but then later I managed to boot in to the recovery also using Yumi & selecting Non listed ISO with GRUB.

So firstly I tried the recovery image & it tries to find the WDE installation & says cannot continue, failed to find a WDE installation & stops there after around 2 hours.

 

When that failed, I connected my HDD to a different computer on which I installed PGP WDE & the software itself wouldn't even recognize the encryption, it did how ever recognize the drive & just 1 partition.

Also I should mention that my whole disk is not encrypted, only 1 partition, which is the Windows partition that is encrypted.

When the software didn't recognize the encrypted partition, I went staright to the CMD & tried pgpwde --enum & then pgpwde --status disk x & even then it only shows 1 partition on the disk which is not encrypted & the status of the whole disk comes as no bootguard in use.

So I tried pgpwde --fixmbr which said the command was sent successfully & then I tried pgpwde --recover & it started searching & going through the sectors & failed around a quarter way through, said cannot continue & something wrong with this sector, error 1990 or 0990, I don't remember exactly.

 

& then now since I did the pgpwde --fixmbr I figured that I'll give the recovery image another chance & tried it again but still the same, Cannot continue, no installation found after around 2-3 hours.

 

What other options do I have?

Hi JayShades,

Unfortunatelly the outlook doesn't seem the best.
When you ran the fixmbr command you removed the encryption information which allows to authenticate to the encrypted disk.
Then, when you attempted to recover that information back, the process stucked in a bad sector. So it seems that at present your disk does not contain reference to the encrypted data ,i.e. no key information.

What you can attempt is to do an exact image of the disk, also known as a clone (ignoring errors, thus keeping the structure) and attempt to run the recover command in that new disk, perhaps the backup user records are located after those bad sectors and might be recovered.

 

Rgs,
dcats

Thank you again dcats.

Shouldn't the fixmbr command actually fix the mbr & re-write the mbr which includes the bootguard informationn on to the HDD though?

Anyways, I just got a new external HDD since my current isn't enough to clone my encrypted 1TB HDD, I'll update on the progress soon, thanks again! :)

 

So after the previous post, I booted into the PGO WDE recovery image using a USB drive & my cloned external HDD was connected to the computer as well. The recovery image started searching for the WDE installation & after less than a half & hour I noticed that the external HDD isn't being read anymore, no movement that I can feel. But I let it run & after around 3 hours as I expected it said that no WDE installation was found & cannot continue.

I'm really idea-less right now & I'd appreciate any help!

I really need to recover Windows & I've gotten this far though it has taken around 5-7 days, I don't even remember anymore! So please, help! :D

Hello again dcats,

 

After around 48 hours & 2 tries I finally managed to clone by encrypted HDD with Acronis 2014.

After that, I did; pgpwde --fixmbr --disk x & then pgpwde -- recover --passphrase "pass" --disk x & it successfully found the recovery file & restored it.

After doing that when I reconnected the cloned HDD since I have PGP WDE installed on this computer it asked for the passphrase to gain access to the disk & when I entered it it still only displayed System Reserved partition & not the Windows partition. Even inside the WDE software itself, it only shows the System Reserved partition & the whole disk as not encrypted.

Even with the command line with pgpwde --status --disk x it still says that this disk is not instrumented by bootguard.

However, with pgpwde --list-user --disk x ,it does show my username & other details on it, that's the only indication of PGP WDE being associated with the disk.

So I tried booting from the cloned HDD, it succesfully prompted me for the passphrase after loading Stage 2 & succesfuly authenticated me as well but only to be greeted with a grub rescue command line.

Also, when I go to Advance at the bootguard Stage 2, it shows my disk as 0% encrypted, this maybe because only 1 partition of the disk is encrypted & I have around 4 partitions?

 

What do you suggest that I do next mate?

The only thing that I can think of is the PGP WDE recovery disk to try to decrypt the partition & then use a Windows recovery/installation disk to restore the mbr with the Windows fixmbr command.

 

Thank you very much again for all the help so far!

Cheers!

 

 

Jay,

So is the drive spinning? Is it spinning up and then shutting down? Any clicking during the drives initialization cycle?

I have a feeling the drive is going bad on you.. what I usually do for any encrypted drive, SEE or PGPWDE, that encounters booting issues is to scan with a sector sweeping tool . My favorite and the one that has saved me many of times, it is called HDD Regenerator (http://hddreg.com/). Unlike other tools that actually move data from bad sectors to working sectors, something you really do not want to do with encryption, this tool actually demagnetizes and magnetizes the impacted (bad) sector and restores it making it readable again without impacting the data on it.

Once that is completed, I typically boot into a BART PE based boot CD with PGP WDE on it and access the drive. If you can access the drive then backup the data right away.  I then run a chkdsk fix command to check and repair any windows system files. If the hard drive cannot be accessed then it is best to try using testdisk for possible repair of the partition.

Fragmentation of drives, especially on XP systems was always an issue with whole disk encryption. You could get unmountable boot volumes errors at times, Test disk usually Saved the day with these issues.

I guess I just need more information to what is going on with this drive at this point. Try downloading a trial version of this HHD Regenorator first to see how many bad sectors you actually are dealing with on this drive. If you have more then 20 then the drives heads are most likely crashing and the best thing to do is DD that drive, image it sector by sector since the time to live on that drive is limited. Best practice, always Image a drive and make it step 1. Sometime, due to resources that is not possible but when you see a drive with a ton of bad sectors it’s a must.

Let me know if the original drive is actually spinning… if not then we need to focus on running a full decryption on the imaged drive. After the encryption is finished and the data still can’t be accessed you  may need to run a data recovery program like Rstudio, it will find the decrypted data in damaged partitions. This might be your next step after the HDD Regenerator scan.   

 

Hi JayShades,

Apologies, for some reason I haven't figured yet, this thread dropped out of my sight.
Did you have the chance to follow the suggestions from 3L3M3NT?

If you have data worth it and the disks appear to be damaged, perhaps you may want to hire a drive recovery service.

HTH,
dcats

Hello 3l3m3nt & dcats,

 

Thank you for those suggestions 3l3m3nt, really appreciate you taking the time.

Actually guys I got my HDD decrypted & recovered all my data a few weeks ago. The only thing that I couldn't recover was the OS itself, which I'm not sure why, anyhow, I'm happy that I got the data.

Re-encrypted & been backing up sector by sector every week, once a week ever since, lol.

So as for my last post, I managed to finally use the pgp recover & fixmbr which both worked but however, windows still wouldn't load nor could I access my data by slaving the HDD.

After doing some more searching on Google I finally ran into a command to decrypt the partitions themselves, the command to decrypt the whole disk didn't work for me earlier, I suppose since only 1 partition on my HDD was encrypted.

So I used this command: 

pgpwde --decrypt  --passphrase "passphrase"  --disk x  --all-partitions

http://www.symantec.com/business/support/index?page=content&id=TECH149110

& it took around 16 hours or so as expected but decrypted my HDD & I could finally access all my data after slaving the HDD!

Thank you so much for all the help dcats!

Hi JayShades,

You're welcome.
I'm glad to hear that you got access to your data.

And thanks for sharing the outcome.

Regards,
dcats