Video Screencast Help

PGP Universal Server 3.2.1: Possible to export a list of all recovery tokens?

Created: 14 Aug 2013 • Updated: 14 Aug 2013 | 3 comments
powellbc's picture

Is it possible to export a full list of all recovery tokens? We are migrating from PGP and wanted to know if this is possible so the server could be decommissioned. I was brought in late and have little working knowledge of the product, so I apologize if this is a basic question.

Operating Systems:

Comments 3 CommentsJump to latest comment

powellbc's picture

Thanks for the link!

What is the difference between a key and a recovery token? The token is single use and the key is permanent?

dfinkelstein's picture

A user's key is the public/private keypair that exists for that user (typically created when the user enrolls).

The recovery token is the special WDRT that can be used to boot the computer, should the user forget their passphrase (if you have configured an Admin Key then that key can also be used to boot the computer).

Dumping all the user keys is not the same thing as dumping the WDRTs.  I don't think there is way to actually do this, at least easily, since anytime the WDRT is "accessed" that access needs to be logged (you don't want an administrator to easily make off with all the WDRTs, as they could then access any encrypted laptop and there wouldn't be a good record of that happening).

If you have a lot of users (and hence a lot of WDRTs) and don't want to do it one-by-one through the UI, you could try contacting customer support and they might be able to help you get on-box and pull the data from the database.


David Finkelstein

Symantec R&D