Video Screencast Help

PGP Encryption paused at 0.0%

Created: 01 Jan 2013 • Updated: 06 Feb 2013 | 28 comments
This issue has been solved. See solution.

Hi,

In my company for security purposes PGP Encryption is mandatory. Allthough this puts down the laptop (boot time is around 40 minutes for a 2Ghz Core2Duo) not to mention how it works in general. In order to solve this I decided to deploy the windows on a SSD. After installing everything I had to install I was amazed with the performance of the pc. Ok, this is fantastic.
Now let's start and encrypt this beautiful rage fast disk.
Well here comes trouble: after pausing the encryption I rebooted the pc.
Guess what?
Encryption is paused at 0.0%, no matter what I am trying.

The scenario is like this:
Laptop: Lenovo T61
SSD: 120GB SSD (samsung)
OS: Windows XP
PGP Version: 10.2.1 [Build 4869](PGP SDK 4.2.1)

Sata mode: Compatibility (from bios settings)
2 Partitions (checked and alligned)

I have looked after solutions, stop/started encryption, uninstall/install this pgp crap, chkdsk on all partitions, and nothing.
The latest version I can use is 10.2.1 [Build 4869](PGP SDK 4.2.1) that comes through company installing system so advice to install another. version will be useless.

Any solutions, please?

Discussion Filed Under:

Comments 28 CommentsJump to latest comment

Tom Mc's picture

I'm shocked at your 40 minute boot times - would be very interesting to know what is causing this very unexpected delay.  I believe I recall this sometimes happening in the past with older PGP versions using SSDs.

Please clarify how you know encryption is paused.  If it is just the report of 0.0%, please be aware that sometimes although encryption is progressing, the machine will not be reporting updates to what is reported as encrypted.  If this might be your situation, you can assess this with the command line usage described in this Knowledge Base Article.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

smokers's picture

Hi Tom,

The 40 minutes boot time is on traditional laptop hdd, Hitachi, i quess. There is a custom windows installed on the laptop, provided by the company. Without PGP it boots in around 23 minutes.With pgp arrives at 34 to 40 minutes.

On SSD it usually boots in around 1 minute (without PGP encryption).

 Now, to clarify the status os encryption, I also used the command line status instruction to see if the quantity of sectors changes and id doesn't change.

 

I will try what's in the KB article.

smokers's picture

Finally a gave up. It seems that for combination XP+SSD the PGP solution is a total crap. I have lost too many days figuring whats wrong, if there is something wrong. I returned to my old hdd.

However I really don't understand why "pgpserv.exe" keeps on accessing hdd all the time. I have a small utility that shows "What's my computer doing" and among the top software that is requires either hdd access either processor resources symantec software is at the top :)) slowing down the computer.

Alex_CST's picture

Seriously, 23 minute boot times??  What the hecklington is going on with that laptop, no laptop this side of the 1980's should take that long to boot.  What are the specs?  The pgpserv.exe is the beating heart of the encryption, it will be accessing your hard drive all the time, that's what it's there for.  All encryption software slows down a machine to some degree, even SSDs (although you wont tell if its SSD'd)

Going back to the SSD, what was your output on the commandline commands stated above?  Were you getting different highwatermarks every now and then?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

vaibhav_jain1's picture

Delay in boot time doesnt look like a PGP issue.Its what softwares your company has installed on your custom image. 40 minutes is really shocking!!

To solve your 'Encryption stuck at 0.0% issue', do the following:

1.Use a Disk sector editor like Disk Probe or Win Hex.

2.Open the software on your machine and read the Sector 1 of your 'Physical Disk'. It should contain an entry called "EFI PART".

3.Assuming you are running in BIOS Mode and not UEFI, you can safely erase the complete signature using the same tools and you should be good to go.

4.Restart your macine.Encryption will start.

This is a know issue that we have fixed already.I'm not sure which release it's on.

Let me know if you see anything different on Sector 1.

Lebron's picture

I've been having the same problems and have tried all of the solutions regarding the 0.0% issue. Vaibhav, since you are suggesting we erase the signature under the EFI PART using a disk sector editor, do you mean erase the entire line?

Thanks.

vaibhav_jain1's picture

Yes, the entire line.. and probably the next 2-3 lines after this one.. I dont remember properly but they to0 constitue the signature.

Please make sure to take a backup of your system before making any changes.

vaibhav_jain1's picture

Please mark this as Solved if my suggestion fixed your problem

Lebron's picture

I just backed up my system and also tried an SSD for the PGP 0% issue. Luckily IBM granted me a 45 day extension on this matter, could you give a more detailed description regarding the HEX method. You mentioned "probably the next two lines," just looking for some clearity. I can't upgrade to the newest version and not looking to do another reformat. Thanks for your help.

 

vaibhav_jain1's picture

Hello Lebron,

I havent seen this for quite soem time and therefore I cannot give you the screenshots or more detailed description.

You have to clear the line that you have mentioned in the comment above. And also the 2-3 lines after that line which is the complete EFI signature.

Normally there would only be zero sectors after these 2-3 lines and thats how you recognize where to stop.

Take a complete system backuo before trying this because so that even if you mess up, you'll have a backup copy to revert to.

Just clear those lines in sector 1 and restart the machine. Encryption will start.

 

 

Lebron's picture

Hi Vaibhav,

I have performed the steps aboved and after I restarted my machine, the PGP encryption did not start on my SSD (image below). I'm out of ideas and have tried everything recommended. Why can't Symantec pinpoint this issue effectively? I noticed there's a new thread for new version 10.3 with the same 0.0% issue ( https://www-secure.symantec.com/connect/forums/symantec-encryption-desktop-103-hdd-encrytion-help ). I pulled up another thread in which you wrote, "encryption pausing at 0.0%, UI Issues like 'Resume button greyed out', 'incorrect encryption progress', 'unknown bus' are known issues and targeted for future releases." Everything on my computer runs fine, like my IBM business applications. I've ran through the PGP best practices documents, checked out the other 5 threads on the 0.0% issue, ran PGP commands via dos (stop, resume, decrypt, secure, status) checked the bios for to ensure legacy mode was running for boot, made sure I'm on AC power, made sure CompuTrace is in bios mode, did the HEX method, checked the firewall and ran disk checks that returned no errors. Is there a command to force the encryption? registry options? Is Symantec Endpoint Protection blocking the process? I have 40 days left to fix this issue with the PGP or I will have to reformat (the easy way out) on my Lenovo Thinkpad T420 (the user in the 10.3 thread is also running a Lenovo). I'm sure there are others tracking this thread. Thanks for your time on this topic and I look forward to your response. 

vaibhav_jain1's picture

Can you double check if the EFI signature really got deleted.When I used to do it,sometimes my Hex editor kind of fooled me into thinking that it had overwritten the sectors, when it had not.

If EFI signature is gone, then try the following methods.I believe they should definately solve your issue.

1.On PGP Command line: (Also please post output of each command here)

pgpwde --disk 0 --status

pgpwde --disk 0 --decrypt -p<password>

try restarting you machine now and triggering encryption again.

2.pgpwde --disk 0 --decrypt -p<password>

After disk is un-instrumented, uninstall and then reinstall PGP DT. (I assume you have access to the UN Server and you'll be able to enroll).

Try encrypting now, see what happens

Lebron's picture

Hi Vaibhav,

Regarding your first comment, the EFI signature (section 1) I can confirm is deleted with my Hex editor, all the way to the 00 sectors as you noted.

Step 1 (Requested output):

I'll report back after the startup.

Lebron's picture

Hi Vaibhav,

Problem solved!

I was finally able to get the encryption started after being unable to resume from the 0.0% mark. Below are the steps I took:

1. Refer to the Symantec best practices guide for PGP Desktop (running on AC, legacy mode in bios, make sure CompuTrace is in bios mode not mbr (if it's on your system), create Windows firewall exceptions for all of the PGP services running in task manager (not sure if this helped), run CHKDSK /r, run scandisk and also the hdd drive can't use GPT partioning methods.

2.If none of the methods below worked for you in DOS (navigate to the PGP directory) then proceed to step 3:

pgpwde --stop --disk 0 -p "passphrase here

pgpwde --decrypt --disk 0 - p "passphrase here"

pgpwde --secure --disk 0 -p "passphrase here"

3.You will need a hex editor (I used Hxd Hex Editor) for this part. Backup your entire HDD before you make any edits! Close PGP and open up the editor and select your HDD under Physical disks. Once it populated search for "EFI Part" in only section 1! Wipe out "all" of section 1 (where EFI PART is located) and replace everything with 0s.

4.Hit Save then Restart the computer

5. Open up command prompt and navigate to the PGP directory then run the following command:

pgpwde --disk 0 --decrypt -p password   

Once it successfully finishes the process, restart the computer.

6. Once you arrive back on the desktop, the  PGP lock will still be in the tray. Click on it and exit out of all PGP services.

7. (This part may differ if you have the standalone version, I'm using the corporate version) The next thing we need is for the PGP universal server setup to pop up once we open up PGP again. We need to first go to Start then Run, in the box type %appdata%\pgp corporation then delete the PGP folder. Next head over to your Documents or My Documents folder and delete the 2 keys in the PGP folder (pubring & secring).

8.Launch the PGP Tray executable, after a few seconds the login box should pop up (enter your credentials) with another setup, hit the bubble I am a new user then fill in your Windows password. Once that is finished, the whole disk encryption icon should AUTOMATICALLY spin-up by the clock (If that didn't work for you,I don't know what else will. This procedure took me over a week to figure out and I hope this adds value for someone else out there).

9. The final result:

I finally passed the IBM PGP requirement for HDDs.

Thanks,

-Antoine S.

SOLUTION
vaibhav_jain1's picture

Thats great!!

Please mark this thread as the solution so that others facing the same problem  do not haave tro wait to find the answer.

Thanks for being patient

samstgt's picture

Thanks for sharing your solution.

Following your instructions also solved the problem of the paused encryption at 0.0% for me.

Alex_CST's picture

For the benefit of the people requiring, 10.3 has just been released so it's well worth upgrading as 10.3 has a lot of changes/fixes - you can get the upgraded version from fileconnect.symantec.com.  If you dont see the option to download 10.3 you will need to contact customer care to get a new serial and license key, which i had to do for a few of my customers as there's a delay between the release.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

JK_PGP's picture

@Alex...The version 10.3 is not the fix for this issue, i have already installed 10.3 and still having the same issue . the disk is still showing 0.0% complete since last 3 days...

Alex_CST's picture

Indeed it does appear that 10.3 has not resolved the issue for everyone, I've come across 10.3 fixing and not fixing this issue... :(

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

PGP_Ben's picture

I noticed in the screenshot for Lebrons last comment it shows "Unknown Bus" next to the SSD. This could be a problem with the storage controller driver not being recognized correctly. I would try updating the AHCI storage driver. I would also check and see what partioning method diskpart lists the drive as. To do so run these commands in a command prompt and post a screeenshot:

diskpart

DISKPART> list disk

DISKPART> select disk 0 (or disk number that shows the correct drive size) - take note if it has a star in the GPT column here

DISKPART> list volume (look for the one that shows as the C: boot drive volume)

DISKPART> select volume 0 (selecting volume that C: boot is on)

DISKPART> detail volume

When running these commands. Take note if any of them show a (*) under the GPT column. We are not compatible with GPT partioning methods yet (as is used in EFI boot also).  We will have support for that when we release full Windows 8 support with our next Symantec Encryption Desktop version 10.3.1 coming out sometime in Q2CY2013.

 

 

 

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

Lebron's picture

Hi Ben,

Thanks for the reply. The "unknown bus" issue was discussed in another thread, I am running the latest storage controller driver for the t420 for Windows 7 (64-bit) pulled from http://support.lenovo.com/en_US/research/hints-or-tips/detail.page?LegacyDocID=MIGR-77167 .I ran the diskpart commands and below is a screenshot, thanks.

JK_PGP's picture

HI labron...you are right as i can see that the symantec is not taking the issues seriously. I am using the latest version of PGP 10.3 and try to encrypt the HDD , but the HDD freze on 0.0% completion. I am able to encrypt the USB HDD on the same machine with the same version successfully. but not the internal HDD.

 

I think the symantec has to be took this matter seriously.

 

PGP_Ben's picture

Hi JK_PGP. just a little side note. This is actually not an easily reproducible case, as it may seem inside your environment. There could possibly be some environment related variables that are coming into play here. If you want to PM me on the forum (Click my name and click the button that says Send message" maybe we can exchange details and possibly find what it is about your environment that you guys may be seeing this issue more.

It's difficult for us to fix a problem. That we don't have in front of us :)

Ben

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

Sebi's picture

Hi,

I have the same problem... New laptop (Fujitsu H720, in DELL is OK) installed with w7 x64, PGP 10.2.0:

Encryption is paused at 0.0%

If i restart bootguard appear but when i go to PGP Desktop it continue in 0.0%

I have reinstall the w7 2 times (i thought that could be "AHCI" on bios.. i changed to IDE)

Any solution? :S

Lebron's picture

The solution under my name above might help, my SDD is using AHCI in bios as well.

Sebi's picture

Hi thanks, but I tested using AHCI in bios with the same problem... I don´t know what to do

Route66rider's picture

I am tasked with the install of this on possibly several hundred standalone laptops using a corporate version (10.2.1 build 4461) for our installs and am having the same issues where it halts at 0% on the second hard drive. From what I gather here, it appears that upgrading to version 10.3 does not solve the issue I have which leaves me at a holding point for this particular install.

The systems we are having the issues with are dual HD Dell 6640 laptops with WIN7 32 bit. 

 

vaibhav_jain1's picture

@router66Rider- I would very highly recommend using out latest release 10.3 since it had a large number of bug fixes.

And since you mention that you're using dual HD laptops, that makes it absolutely necessay in my opinion for you to use 10.3. There were some dual HD fixes and some more related corner cases fixed in 10.3.

Regarding the encryption paused issue. Please read mine and lebron's comments above.They should solve your problem.

Hopefully our soon to be released next MP will also contain a fix for your issue.So again, Please try to use 10.3 for your deployment.

Thanks