Endpoint Encryption

Hello Friends,

Our organization was using PGP whole disk encryption and email encryption year ago but due to an incident where the disk on one of laptop crashed and the team was unable to recover the data so they stopped using PGP. We ( Infosec team) would like to implement PGP again for compliance but before proceeding for that we would need to provide a solution for the challange we faced earlier about data loss. We would appreciate if you could tell us

1) If it is possible to recover data from a crashed hard drive ( with encrytion key being available) ?
2) If yes then is there a documented procedure on recovering data from a crashed drive ?
3) Can Symantec support help in recovering data ?

4) If someone has faced such a challange and had success recovering data then please share steps to help us.

Appreciate your help on this in advance!

Thanks,
Prashant 

PGP WDE is truly secure - you cannot access the data unless you can decrypt it via either normal use of the WDE encrypted disk, or actually decrypting the disk.  This Knowledge Base Article will help with recovery when the WDE bootloader is not working as expected.  I don't recall if this KBA also mentions that the disk can be connected via a USB connected casing to another computer with PGP installed.  Of course, use of WDE does not in any way negate the need for backing up valuable data. 

Hi Tom,

Thank you for the quick response, I will try to reproduce the scenario in lab and will see if get some success in recovering data with suggested steps.

Best Regards,

Prashant

You might want to look at Truecrypt, it has excellent support for attaching a "crashed" hard drive to another computer running Truecrypt and doing a salvage of the crashed drive.  We do it all the time, so it's a proven solution.

Les

Hi Tom,

I was wondering if you could give me a link to where we can use another laptop with PGP WDE installed to salvage data of a PGP WDE'ed drive.  We are looking at using PGP WDE as an alternative to Truecrypt.

Thanks for your assistance,

Les

Hi Tom,

Sorry dude, I have another question. Is there a way to setup PGP WDE on another system (second copy) to login and "look" at a hard drive that has PGP WDE installed on it ?  Our usuall problem is, the user has dropped the laptop and the hard drive has sector errors, so a full Decryption of the hard drive fails. We are looking for a way to "look" at the drive having it slaved to another system, without having to decrypt it. We have passwords, we just need a way in through slaving.

Thanks for your assistance,

Les

You can always place the disk into another computer with PGP installed and attempt to access the data - I don't know the odds of this being successful.

If your concern is damage that causes bad sectors, you can also attempt recovery by using software such as SpinRite to take care of the bad sectors.  SpinRite tech support says that using SpinRite on an encrypted disk is not a problem.

Hi Tom,

Thank you so much for your reply.  I am very happy that we can slave a failing PGP WDE drive to a good PGP WDE installed system. I do that all the time with Truecrypt and have kind of become an expert in recovery failing encrypted drive.

Question, when I do salvaging of Truecrypt drives and slave the bad drive to a good working system, then "mount" the failed drive and look at it, sometimes I can not access the drive.  When that happens I use a program called "GetDataBack" which allows me to look at the logical drive and not the physical drive . I then can do full recovery/salvage of the bad drive. It works extreemly well and I have gotten back tonnes of data that resided on prevously unbootable and unlookatable encrypted drives.

Do you think I could do the same thing with a failing PGP WDE drive, slaved to another system running PGP WDE ?  Is the slaved drive seen as a logical drive to the windows system ?  I have not used PGP WDE, which is why I am asking the question.

Thanks for your assistance,

Les

p.s. The most important key to salvaging encrypted drives I have seen in this is not to attempt to unencrypted the failing drive, instead just read it and copy off the important data. The drive has sector errors so why try to unencryt it as I have found many times that process just fails, due to the sector errors (at least that is my methodology)

Les, before I forget to mention it, I just want to make sure you are aware that you can obtain the PGP Desktop software for a free 30 day trial - it will revert to the Freeware level of functioning after the 30 days. 

I think, but can't swear to it, that slaving a PGP encrypted drive would not show as a logical drive.  I'm not really up on TrueCrypt, but think it functions somewhat similiar to PGP's Virtual Disks; however, PGP's Whole Disk Encryption actually encrypts every sector (except that containing the PGP bootloader) of a disk/drive.  I'm not experienced with GetDataBack and would not be too optimistic about it in this situation.

The only time I personally had a PGP encrypted drive that failed and I was not able to recover from it (I did restore an image of it though) was back when PGP WDE was in beta.  In my other boot failures of WDE drives, use of the WDE Recovery CD was successfuly in decrypting the drive/disk and returning all to normal functioning.

Hi,

My hard drive crashed a week ago and it does not boot up. I tried several times to boot with no luck. I have another hard drive that is installed with PGP. I connected the crashed hard drive to PGP installed system but it does not recognize the hard drive.

Then I installed the crashed hard drive in my computer and used PGP disk recovery cd and booted the system with cd. After a while I got the error message could not read and did not proceed further.

I have some importnat data installed on the crashed hard drive. Please let me know how to retrieve data from crashed hard drive.

Thanks for you help and assistance.

Veera

Your concern would be more visable and likely to receive the attention it needs if you start a new topic for it.  I'm not optimistic about your situation both because it appears originally due to a disk failure that may not be repairable, and it sounds like the WDE Recovery CD began decryption and could not complete it (WDE Recovery CD decryption must not be stopped for any reason before it completes).  The only thing I can think of that might possibly help would be to try software such as SpinRite to try to identify and fix disk errors (their tech dept has previously advised me that it works even on an encrypted disk).