File Share Encryption

Hi Everyone,

 

I wanted to know if there is a tool that I can use to decrypt our computers (Laptop/Tablets), which contain 10.2 MP5. I have used all the versions for the PGPWDE Recovery.iso's, but none can pass the inital screen. It states "PGP Recovery Disk is searching the disk for PGPWDE installation, Please wait..." We are transitioning from Windows XP to Windows 7, and 8.1 so we require a tool to decrypt our machines. Running the standard process of decryption can take anywhere from 12 hours to 48 hours. This is a big setback due that we are upgrading over 5000 machines.

Is there a tool that we can use for 32bit (XP) and 64bit (Windows 7)?

I have used the following versions on Symantec.com:

PGPDesktop10.2.0_MP1.iso

PGPDesktop10.2.0_MP2.iso

PGPDesktop10.2.0_MP3WIN32_WDE_Recovery.iso

PGPDesktop10.2.0_MP4WIN32_WDE_Recovery.iso

PGPDesktop10.2.0_MP5WIN32_WDE_Recovery.iso

Bootg.iso

PGPWDE_Recovery.iso

 

Neither one of the seven versions listed above work. The only way to decrypt is during in-session. We require a tool that can decrypt the drives without the ridiculous amount of time. This is tedious process, which is setting us back with the deployment process.

 

Please help!

 

Joseph V.

Joseph,

Have you considered removing the drive and slaving it to another computer? This is actually the fastest way to decrypt a drive. If you have the same version of the software on multiple computers, it should be compatible. After slaving the drive, PGP Desktop should ask you for the passphrase. Enter the passphrase, and you should be able to decrypt with the PGP Desktop interface.

I hope this is of some use for you. Please let me know if you have any concerns with this method, or if it works for you.

Regards,
Phil

Thanks Phil for your response. This is a great method for me, but unfortunately our System Administrators are going to be the individuals that will be decrypting the mobile devices. I was trying to see if there is a decryption tool that allow one to enter the passphrase, and decrypt drive. Similiar to what Symantec used to have for SEE (Symantec Endpoint Encryption).

 

When decrypting 5000 machines upper management may not see this feasible option. I appreciate your assistance.

 

Joseph V.

Supv., Desktop Engineering

It will depend heavily on a couple things, but we'll try to help you get it sorted out.

1.  What process is being used for the upgrade?

2.  Are the client systems managed by a PGP Universal Server?

If you are simply backing data up while the system is on, then installing a fresh Windows 7, then migrating the data back to the system (e.g. Windows Easy Transfer), you would not need to decrypt.  You could simply reformat the drive, then install the new OS, and migrate the data back.  You would want to be sure the user's keyrings are part of the data that is being backed up (they are in My Documents/PGP) if they use anything other than PGP Whole Disk Encryption.

If you are using an in-place upgrade, you would need to decrypt.  I'm not sure why those recovery disks wouldn't work for you if they are the correct version, but I would avoid using the iso/recovery disk to decrypt a large number of systems.  It is the slowest way to decrypt.  If you are looking for something more akin to a script that you can push to the clients to kick off decryption, we don't officially support the scripting, but I can give you an example that you could modify to suit your needs.

In a managed PGP environment, where there is a WDE Disk Administrator Passphrase for the encrypted clients, you could alter the following script to fit your environment, then save it as a batch script to run on client systems to begin decryption.  This would allow you to start decryption remotely by pushing the script via GPO or third-party distribution methods.

1.  The following script is NOT officially supported, but merely an example of a script that should start decryption when saved as a batch file and executed on a client system.
2.  The following should work on 32- or 64-bit clients.
3.  Substitute your WDE Disk Administrator passphrase where it says AdminPassphrase.

@echo off
if exist "C:\program files\pgp corporation\pgp desktop\pgpwde.exe" (goto 32-bit) else goto 64-bit
:32-bit
cd "C:\program files\pgp corporation\pgp desktop"
goto decrypt
:64-bit
cd "C:\program files (x86)\pgp corporation\pgp desktop"
goto decrypt
:decrypt
pgpwde --decrypt --disk 0 --passphrase AdminPassphrase

 

Thank you very much Mike for your response. It is going to be in place so the second option is probably best. I already had a fellow engineer attempt the script you provided, and it appears to be working. I truly appreciate your assistance. Thanks again, Joseph Vasquez Supv., Desktop Engineering