Video Screencast Help

PGP WDE 10.2 disk failure recovery process

Created: 25 Aug 2012 • Updated: 26 Aug 2012 | 6 comments
This issue has been solved. See solution.

Hello,

I had PGP WDE 10.2 installed on a laptop which had the SSD fail catastrophically (loaded with Windows 7 64-bit).  Fortunately (or so I thought) I had the system configured to take frequent backups (whole disk images) of the hard drive using Acronis True Image.  So at this point, I have a new disk in hand, I can restore the Acronis image to the new disk, I've used the PGP WDE 10.2 recovery boot disk to decrypt the disk image, but once this process (restore/boot or decrypt) is complete, I simply receive the error: "Missing operating system".  Booting to a Windows 7 64-bit DVD and loading Diskpart shows the boot partition to be unformatted (have a RAW file system rather than NTFS, when I actually used the NTFS file system to format the drive).  Loading a new installation of WIndows 7, formatting the drive properly, and then repeating the above recovery process yields the same result.

So my question is, what is the correct process to recover data from a PGP WDE 10.2 encrypted drive?  

Best regards,
-Jeremy

Comments 6 CommentsJump to latest comment

Tom Mc's picture

Please take a look at this article

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

saldate's picture

Thanks, Tom, but this doesn't help my current situation, only outlines an option for disk backup while using WDE.

It appears I've discovered the correct procedure on my own, and in the process may have discovered a security hole in PGP WDE.  Here is the process that worked for me:
1. Reformat the new disk drive using a Windows 7 boot DVD.
2. Install Windows 7 to the newly formatted disk.
3. Reboot to an Acronis boot disk.
4. Locate the (whole disk) image you wish to restore.
5. Restore only the Windows 7 OS partition (this should also be the largest partition) to the corresponding disk partition.  Select the "Reboot when complete" option once re-imaging begins.
6. Once re-imaging is complete, your former Windows 7 installation should boot, with all applications installed, and no encryption applied to the disk.

Does this seem to be a security issue?  I would have expected encryption to be applied to the operating system partition once imaging was complete & I rebooted the system.

SOLUTION
Tom Mc's picture

This Knowledge Base Article may also be of interest. 

As you can see from this KBA, it is possible to have images with the data not being encrypted, as well as having the option of making images in which the data is encrypted.  If you choose to make an image in which the data is not encrypted, that is a choice you are making, and you should realize that doing so means that your image is not protected and that anyone being able to access the image will be able to access the data it contains.  This is not a weakness of whole disk encryption, which is securely protected if you either make an image with encrypted data or subsequently encrypt your image. 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

PGP_Ben's picture

Correct, I agree with Tom Mc. To explain this in even simpler terms. it sounds like your OS image was taken from inside the live operating system. As such, the drive is already mounted and the operating system is decrypting the disk on the fly as you are accessing the data. By virtue of imaging the drive in this "live" environment, you are imaging an unecrypted copy of the drive. To image an encrypted copy of the drive. You would have to be doing a sector by sector copy of the disk using a live CD environment or USB recovery environment where you have not authenticated to the disk using BootGuard and accessing the PGPWDE drivers in Windows which bypasses the encryption mechanism (by allowing you to access the disk).

I hope that makes sense. So in short, no security flaw. Because if someone has physical access to your machine and you leave it unlocked - it's in the same state there as well.  Simply put, if you want 100% protection and no way for someone to access your disk - including images made of your disk. you need to do so outside of the PGP WDE booted environment.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

PGP_Ben's picture

Also, in regards to your original comments about not being able to access your encrypted disk image taken with Acronis. It sounds like the MBR from the original disk image (that was encrypted) was not restored onto disk after reloading the image on the drive. I would check the Acronis image creation settings to make sure that it's copying all MBR and partition data as well as the partitioned file systems. This may involve doing a "sector by sector" copy of the disk or sometimes referred to as a "raw disk image".  Since most hard drive disk imaging (cloning) utlities today try first to just copy the file system and partition data as this is often faster but does'nt work with PGPWDE encrypted volumes where we store the bootguard instrumentation data and the original windows MBR data in the first few sectors of the disk.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

saldate's picture

Thanks for the KBA link and clarification.  It seems I've learned something new about the way PGP WDE works.  For my purposes, an uncrypted backup image is fine.  I was more concerned with the possibility of an outside attack not being required to enter the WDE passphrase, using the above process to create a whole disk image, restoring the disk image to a newly formatted disk, and thereby bypassing PGP WDE altogether.  Of course, based on what you're telling me, this doesn't seem possible.  I'll test it for my own peace of mind as soon as I get the time.  

Interestingly, this also seems to explain why I was unable to boot from the backup image when I initially restored it.  I was in fact using Acronis in "Whole Disk" imaging mode, but I was not performning a sector-by-sector backup.  So, I may have had an encrypted MBR, but unencrypted OS partition.  Or, I may have simply had the PGP bootloader installed to the MBR partition but the complete disk image (MBR, System Reserved, and OS partitions) was unencrypted.  I may or may not revise my backup procedure based on this information (in an effort to make the restored image bootable by default & save overall restoration time).  Thanks again.