Video Screencast Help

PGP Reset Passphrase from Management Console?

Created: 26 Oct 2011 • Updated: 26 Oct 2011 | 8 comments
This issue has been solved. See solution.

Is there anyway to reset a users passphrase from the management console in the event they don't know it? I know there is an option for it there to create a passphrase but whatever I put there never works for the account I do it for. 

Comments 8 CommentsJump to latest comment

Tom Mc's picture

These Knowledge Base Articles may be helpful:

http://www.symantec.com/docs/TECH149900

http://www.symantec.com/docs/TECH149199

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Velocity2089's picture

The second article was helpful but requires you to use the WDRT. Isn't that token a one time thing for a PC?

 

Also with the first article, it seems to only work for users who are external to teh domain but in my case all users are on my domain. 

Tom Mc's picture

Yes the WDRT is a one time use.  However, when the user uses it to access the machine and sets a new passphrase, a new WDRT is created.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Velocity2089's picture

Now what if its a user that knows their password, they can access the laptop without any problems, but forgot their passphrase and would like to reset it so that they know it for the future in case they need it. I know that in the PGP Desktop it gives you the option to Chage Passphrase.. but it prompts you for the previous passphrase before changing it. 

My goal with this is to try and find the best way to encrypt a laptop before the user receives it so that they can just login, set up their password, passphrase, and security questions, and be on their way. But if I were to set all of these up ahead of time for the user, I want to know that they can change all 3 on their own to whatever they want them to be. 

Tom Mc's picture

This is from the PGP Desktop User's Guide:

If you Forgot Your Passphrase
If you forgot your passphrase, and if your system is configured for it, you can bypass
PGP BootGuard by answering three out of five security questions correctly. You create
and answer the five security questions. This is similar to recovering your key if you lost
the key or forgot the passphrase for the key.
Note: If you are using PGP Desktop in a PGP Universal Server-managed
environment, your PGP Universal Server administrator may have disabled the option
for local self recovery. Your administrator may also have specified that local self
recovery be configured during enrollment. In this case, you are prompted to enter
the security questions as you set up PGP Desktop.
To create your security questions
1 Using PGP Desktop, encrypt your internal drive. You can use either a Passphrase
user or a Windows SSO user.
2 Right-click the user's name in PGP Desktop and select Add Security Questions.
Note: You cannot create security questions for the WDE-Admin user or the ADK.
3 Create and answer the five security questions. The user's name is displayed with
LSR to the right (and a tool tip), to indicate that "local self recovery" has been
configured for the user.
To recover your passphrase at PGP BootGuard
1 At the PGP BootGuard screen, use the arrow keys to select Forgot Passphrase and
press Enter.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Velocity2089's picture

It doesn't sound as though there really is any recovery for it other than through the questions, assuming I'm understanding it correctly. 

SOLUTION
Tom Mc's picture

Your understanding appears correct.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Sarah Mays's picture

you might want to look at using SKM (server key mode) for these user then you wouldn't have to worry about users forgetting their PGP Key passphrase.

It's a much simpler implementation and less confusing for the end user if they only need to remember one passphrase, also when a user has multiple machines it can be difficult to get their key password updated on all computers.

I use GKM currently because there were limitations pre 3.0 universal server that didn't allow SKM keys to be used for PGP netshare. I have my users automatically create recovery questions for their keys.. it somewhat helps when someone forgets their passphrase.