Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PGP Bootguard Questions

Created: 01 Nov 2012 • Updated: 21 Jan 2013 | 6 comments
This issue has been solved. See solution.

I have 2 questions regarding the PGP Desktop Bootguard screen. If you press F5 you can enter an administrator password and bypass the screen. Currently just our "Admin" account's password works. Is it possible to add a second account that can be used? I've logged into the web PGP administration and created a superuser but using that password does not work.

My second question is regarding the F6 key option which is the user bypass screen. What does this do? I've downloaded a 307 page PDF for PGP user guide and there is no reference about it. I've enabled the WDE bypass using pgpwde --add-byppass command but this just completely skips the bootguard screen, so I'm trying to figure out what the F6 key actually does.

Thanks for your help.

Comments 6 CommentsJump to latest comment

PGP_Ben's picture

The F5 option is designed to only use the WDE administrator password that you create via Consumer Policy on the PGP Universal Server. There is only the option to create on Administrator passphrase via Consumer Policy. You can add a secondary passphrase account to the drive and use that for authentication as well. But the downside to that is you cannot easily remove that account or change the passphrase via consumer policy on the server. You would have to do it all manually on each machine in that case.

In response to question two regarding the F6 option. This is designed for if the drive is instrumented to a password (PGP BootGuard is in place) but not encrypted yet. You then the option to enable a bypass, which can be used here. So it doesn't really apply in the case where you are using encryption on the drive.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

SOLUTION
nate.hall's picture

Thanks for the very detailed explanation, exactly what I was looking for!

3L3M3NT's picture

Wait ... I thought anyone in the WDE-ADMIN Active Directory group will have the ability to do the F5 option as well as the PGPWDE command lines to authenticate/encrypt/decrypt and bypass drives... is this not correct? If not then what is this AD WDE-ADMIN group good for then? Symantec needs to seriously clarify these very important administrative options I bit more, there is not enough details describing these options. It would make the testing process and building a standards recovery writup so much easier for us security people. Thanks

nate.hall's picture

"Symantec needs to seriously clarify these very important administrative options I bit more, there is not enough details describing these options. It would make the testing process and building a standards recovery writup so much easier for us security people."

I completely agree with this! I spent WAY too long looking through the forums, and guides for this information.

3L3M3NT's picture

Just found this today.. I think this will help clarify a bunch of unknowns with PGPWDE commands..
https://supportimg.pgp.com/guides/PGPwdeWinCmdline...

It's an older version but it looks like all these commands are still being used in the newest 10.3.0 (build 8741) version, at least from my testing standpoint..

WDE-ADMIN seems to work for Administrative Bypass commands fairly well. I'm about to test this with PGPWDE commands off a boot CD. I'm more interested in the authentication command so that any support persons in this WDE-ADMIN group can use their own AD account passphrase to unlock a drive to do offline virus scans and conduct other administrative functions. The fact that there is one passphrase for all computers in the entire company is not good, what if that passphrase leaks and we are not aware of it? Changing it also requires notifying everyone globally and that becomes a hassle. I really hope this works! I'll post an update later...

nate.hall's picture

I'd be interested to know how you get along with this. Currently we have help desk that need to bypass the PGP to login for troubleshooting. Currently they are using USB tokens to bypass it but it would be nice for them to be able to use a password, without giving the master password out (for reasons you mentioned.)