Video Screencast Help

PGP WDE - Allow users to decrypt?

Created: 03 Feb 2012 • Updated: 05 Feb 2012 | 7 comments
This issue has been solved. See solution.

Hey Guys -

With respect to managing the PGP universal server, is it recommended practice to enable 'allow users to decrypt' or would that pose a security risk?   One the one hand, we have the 'allow users to decrypt' disabled on our primary policy.   We have another policy that allows decyption.   it's become frustrating to have an encrypted workstation change policies when it's in BSOD or simply malfunctioning.  

On the other hand, it seems risky to allow decryption, in case the laptop is ever stolen or lost. 

Any thoughts?

Comments 7 CommentsJump to latest comment

Tom Mc's picture

I don't see how allowing the user to decrypt would have any negative impact on a stolen laptop if it is encrypted.  It seems the problem would be that if the user is allowed to decrypt, that some people may wind up carrying around decrypted computers. 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

DTekk's picture

Thanks Tom.  You're always helpful.  I thought the same thing, as the thief would need to bypass the whole disk encryption / boot guard before being able to decrypt.  Additionally, a passphrase is required for decryption.  I posted the question in hopes that I may have missed an angle by allowing the decryption.   Is it common for organizations to allow decrypting though?   Also, since the problem we're running into is when the laptop is in a BSOD state, is there an easier way to allow decryption on the fly?    Thanks as always

Tom Mc's picture

I don't know how common the allowed decryption is.  My only experience is with PGP Corporation that left me able to do anything, and now Symantec which controls everything at the server level and I'm not even able to access PGP Options.

If you can't boot and access PGP Desktop for the decryption, your options are pretty limited.  You have the option of using the WDRT for booting, but I don't know if there is a way to somehow use this for decryption if you can't boot.  You can decrypt by attaching the disk to another machine with PGP installed, or by using the WDE Recovery CD.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

DTekk's picture

Are you Symantec/PGP staff or just volunteering your knowledge? 

Our main issue at the moment is when a drive goes into BSOD.   We have to spend almost 6 hours decrypting by putting the drive as a slave.  Then of couse, it never accepts the password so I have to run the commands.  

Would the WDE Recovery CD help this case or is it limited to what sort of BSOD it is?

Tom Mc's picture

I have contractual status with Symantec.

If using a recent version of PGP, it is possible that booting from the WDE Recovery CD might resolve booting problems.  Negatives of using the Recovery CD include that the decryption must not be stopped until it completes, and it uses slow 16 bit processing.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

SOLUTION
mwoj's picture

Rather than using the Recovery CD (which is a 16bit mini linux) you can create your own customized Windows PE disc (include PGP WDE driver and cmdline) using this acrticle: http://www.symantec.com/docs/HOWTO64225

The benefit is, you can put all your rescue tools on the PE disc as well, in order to fix the configuration by still having the drive encrypted.

Or if you need to decrypt it, it will run much faster with the PE disc, since it is 32bit.