Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PGP WDE able to encrypt disk, but can not boot from it - must recover/decrypt

Created: 28 Apr 2013 | 15 comments

I just got a new custom built computer with an ASUS motherboard (P9X79) and installed windows 7 home premium on it.

Symantec Endpoint Encryption 10.3 mp1 installs ok and reported that it encrypted my drive (SATA SSD, 512 gb).

I was running the system after it reported it was 100% encrypted.

On rebooting, I just got an error as though there was no bootable disk. Could not boot from the drive. Maybe "No system disk", some error like that. I can't recall the exact error, but basically, BIOS was saying, there's nothing to boot from.

I decided to put in a second SSD and then installed windows and booted into that., and installed WDE into the new windows install. I figured I'd decrypt/access the drive through PGP in windows. However PGP in this new install didnt recognize the drive as being encrypted. When I double clicked on the drive in explorer, windows said "cant do anything with this drive, wanna format it?" (No)

Went into symantec interface, and it didnt recognize it either. Went into whole disk encryption and clicked on the drive and it didnt report it as being encrypted. It offered the choice of encrypting it, implying it did not realize it was already encrypted.

I then went into the command line intercace and enum'd the disks. It thought the drive was not encrypted. pgpwde --enum, it reported the disk was there but didnt think it was encrypted.

I tried to force decrypt the drive with pgpwde --decrypt --disk 1 --interactive, it asked for password, then "admin password" whatever the heck that is, i typed passphrase two. Then failed with "insufficeint resources".

Anyway last resort, burnt a recovery CD and booted into it. Lo and behold, it says found WDE, do I wanna decrypt? I decrypted... and now it works fine. At least the recovery disk was able to recogize that it was there, even though it could not be booted into, and PGP in a second windows install didnt recognize it.

Anyway the issue is, I want to encrypt the disk again... and actually be able to boot into it after I encrypt it. Any ideas on what's going on here?

Thanks

J

Operating Systems:

Comments 15 CommentsJump to latest comment

Tom Mc's picture

I initially found this confusing, but most of your post suggests that you are actually using Symantec Drive Encryption instead of Symantec Endpoint Encryption?

If you haven't already done so, please read the Release Notes to see if you system has any known conflict or needed configuration adjustment.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

A system user's picture

Ok correct the product is currently called "Symantec Encryption Desktop". It's hard to keep track of the name changes, ie it was called PGP desktop encryption when I purchased it originally, etc. Now Symantec seems to be calling it "Symantec Encryption Desktop", true.

Read through the release notes, there isn't any indication in there that any part of my setup is incompatible.

Any suggestions?

Thanks

 

Alex_CST's picture

Can you tell us the brand and specific model number of that SSD?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

A system user's picture

Same behavior on two SSDs, I tried it with another one as a test and same thing happened.

 

Here they are:

Corsair CSSD-F180GB2

Intel SSDSC2CW240A3

 

Thanks!

J

PGP_Ben's picture

I would check what your boot settings are configured for in this ASUS motherboard BIOS setup. If you are using UEFI/EFI boot mode instead of Legacy/MBR mode then this is not supported with the current release of Symantec Drive Encryption (aka PGP Desktop) and in most cases should prevent you from being able to encrypt the drive. I suppose it's possible it allowed you to encrypt the drive anyway and it shouldn't have. is it also possible that you may have had GPT partion table support on the drive? This is also not supported until we have full UEFI Boot/Windows 8 support.

I am also curious to find out what versionf of windows you are running? The post has a keyword tagged of Windows 7. But, If it's Windows 8, we don't currently have support for Drive Encryption in 10.3.0 yet. Please subscribe to http://www.symantec.com/docs/TECH199095 if that is the case.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

A system user's picture

It's windows 7 home premium on one drive and windows 7 professional on the other.

 

I will go through and look at all the BIOS settings to see if there's anything like you describe going on. Thanks.

A system user's picture

Ok I have checked BIOS and it does appear that this system is using UEFI to boot. I didn't realize that. I thought that was only available on Mac actually.

Ok so I will have to find a way to get it into MBR support mode.

Thanks for the help!

PS Yes, actually it did let me encrypt the disk without any warning that the system was incompatible.

 

PGP_Ben's picture

 I am sorry to hear that the product caused this confusion. This is not normally expected behavior but we are doing a major overhaul of the Symantec Encryption Desktop (formerly PGP Desktop) software right now anyway. In an upcoming release we are planning for UEFI Native Boot support and also GPT parition support, as well as support for Windows 8.  To find out when we will be compatible with UEFI boot please subscribe to the following feature request:

http://www.symantec.com/docs/TECH180744

I did notice this section:

There have also been cases where UEFI emulated BIOS do not work with PGP Whole Disk Encryption.  This is caused by a bug in the BIOS and updating the BIOS may resolve the issue.

Maybe that explains why it let you encrypt it, if it's using an UEFI emulated BIOS? I would try updating the BIOS and see if that helps resolve it. if not, you will have to change the BIOS boot mode and clear the GPT partition table on the disk (reinstall Windows) then reconfigure the partition setup to use MBR partition support instead of GPT.  For tips on how to do this, I would suggest an article like this one that I found online (of course this is not a Symantec site and so we cannot support this article):

http://www.sevenforums.com/tutorials/26203-convert...

 

 

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

barclayb's picture

Yes, I am having exactly the same issues and I believe it is due to UEFI and/or GPT. I did try setting the P9x79 Asus Mobo to non-UEFI mode, converted the hard drives to MBR instead of GPT and tried again, and the same thing happened... the drive was encrypted without complaint, but then would not boot, saying "missing operating system". 

Here's my question now--not sure if I should post this here on in a new thread but we'll see if this gets an answer:

All I really need to do is be able the read/write an encrypted drive that was encrypted using PGP Desktop 10.2.1 -- that's the version that my employer distributes to us and i run it on my company computer. I want to be able to move my external hard drive between the two machines--the company computer running 10.2.1 and the home computer, which is the Asus I was talking about above. I DO NOT need to encrypt the boot drive on the Asus--they just hold the operating system and apps, no data. 

Is there something I can install (free or otherwise) that will enable that computer to read/write an already encrypted disk? Of course I have the passphrase--that's no problem. 

Right now I have 10.2.1 installed on the Asus and it shows that encryption of the boot drive is paused with 0.0% complete and everything is working, but I'm worried if somehow it were to resume encrypting the boot drive (which is two SSDs using GPT in RAID 0) it would corrupt them again. 

So basically I want to run some encryption software that does not encrypt the boot drive automatically, like the 10.2.1 version i get from my company does. 

My company might SOMEDAY upgrade to some new version you have that will handle all this, but what can I do until then?

THanks! 

 

Alex_CST's picture

You can ask the administrators of your company to change the policy.  Sounds like they have a Universal Server and a policy set to automatically encrypt the boot drive on install.  They can change the policy to not do this, then you will be able to use the version your company sends to you.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

barclayb's picture

Hi Alex, and thanks. I understand. My company has hundreds of thousands of employees, and they are unlikely to change this policy. They also tell me they can't give me the updated version. Is there any other way around it? Right now, the machine asks for the WDE password for the boot drive (RAID 0 SSD w GPT) on boot up, but does not try to encrypt the disk (still showing encryption paused at 0.0% encrypted). It WILL read another attached encrypted USB drive. So everything is working. Am I safe with this set up? It seems to be working for now or is there some better option for what to install on this machine to just read attached data drives? I'm just worried if something were to cause it to try to encrypt the boot drive it would corrupt it again. 

 

Alex_CST's picture

PGP + RAID + GPT do not mix:

http://www.symantec.com/business/support/index?page=content&id=TECH149543

I think there's your problem as to why the boot partition isnt encrypting.

 

Unsupported Disk Types

  • Server hardware using software RAID.
  • Dynamic disks.
  • Diskettes and CD-RW/DVD-RWs.
  • Music devices and digital cameras.
  • Advanced Format Drives using 4k native sectors (512e compatible drives are supported in this mode)
  • GPT partitioned Windows drives (Drives over 2TB are partitioned GPT due to size limitation on NTFS partition)
Please mark posts as solutions if they solve your problem!

http://www.cstl.com

barclayb's picture

Yep, understand that. I don't want the boot drive to be encrypted. I just want to read other encrypted drives. Without getting the admin to change the worldwide policy, is there anything else I can do, rather than just hope the program doesn't try to encrypt the boot drive again? The big problem, as I think Symantec knows based on other posts I've read, is that the program goes ahead and encrypts some drives even though they are unsupported, and then they won't boot. I've seen it do this with a RAID array, an SSD under UEFI, an SSD on a UEFI system set to not use UEFI and I think maybe a GPT drive (though I have seen it just fail to encrypt on a GPT drive also). It would be best if the software knew and didn't try to encrypt uaupported  drives, but it does and then it won't boot. If this is fixed in a later version, can I somehow get this newer version, even though my company only supplies the older one? Or is there some way to tell the version i have NOT to encrypt the boot drive? 

 

Alex_CST's picture

If the policy is set to automatically encrypt the boot partition, its going to keep trying to do that, you cant override policy.  I'm sure you're not the only end-user that has an unsupported drive - are you sure you cant make a change request?  It takes like 5 minutes to create a new policy identical to yours with 1 change :(

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

barclayb's picture

Not a bad idea--I will give it a try, but I think they consider the encrypting of the boot drive as a security measure which is why they force it. 

Let me ask another way. If I have an encrypted USB external drive, and I need to take it to a client's computer, which does not have WDE or any other PGP software on it, and which does not connect to my employer's network of course, what can I install on the client's machine to read my disk? Of course I don't want to encrypt the client's boot drive just so I can read my disk. What can I install on the cient's machine? I don't think I can just use the same version of WDE from my employer, because it won't be able to validate with the same network, right, and won't even run.