File Share Encryption

 View Only
  • 1.  Unable to recover data from faulty encrypted drive.

    Posted Jul 30, 2014 12:46 PM

    Hi,

    I'm using Symantec Encryption Desktop 10.3.0

    One day my laptop started to be very slow. I shut it down (it took 2.5hrs) - but it did shut down correctly.

    When I restarted it, I went through the bootguard prompt but after the windows logo I would only end up in a black screen with mouse.

    I tried all possible options and techniques reliant on the "F8" functions - but nothing. Even safe mode could not be loaded.

    Further work to fix the OS could be done with some tools - however due to the WDE it is not possible to load them.

    So I started to find a way to decrypt the drive.

    As I was in a hurry I tried to decrypt it using the bootable recovery CD (yes, I used the exact version as showed in bootguard)

    After leaving the decrypt running for 15 hours - it was still at 99% (I.e. only 1% completed). Unfortunately many of the advice given in the forums by Symantec employee where simply incorrect and misleading - which made things worst. Telling that the process on a SATA disk would take 5-8 days it's BULL.

    After 17 hours and no progress (I was waiting as, again, an employee in a post said that sometime the % doesn't get updated, again, not sure if it's true in the slightest).

    I had no choice but shut down the machine. Most likely a bad sector was stopping the decryption to proceed. Considering that there few and negligible bad sectors, if the Recovery CD is really incaple of identifying a bad sector and somehow "skipping it" .. then I'm a bit scared of continuing to use this tech in the future.

    FINALLY:

    I imaged a new hard drive with same OS, installed the same version of PGP -- it asked for the passphrase, however it doesn't really show the filesystem or data.

    The PGP console says that it's 100% encrypted and will just hang or "continue forever" to do nothing if you ask to decrypt.

    I have been trying to use data recovery tools (only from Windows *sigh*) to get something back - but it doesn't seem to come through.

    Considering that I check the drive - and the bad sector are NOT the cause of the data loss, but clearly the effect of bad sector on the encryption.

    MY QUESTION IS:

    - How do I decrypt the disk ? It just doesn't decrypt it. See below some more info.

    C:\Program Files\PGP Corporation\PGP Desktop\WinPE>PGPwde.exe --status --disk 2

    I get an "integrity check failed (error= -11446)" in a popup

    Disk 2 is instrumented by bootguard.  Encryption removal process is running in the background.
      Current key is valid.
    Drive encrypted
      Total sectors: 625140400 lowwatermark: 3453 highwatermark: 625140398 reserved
    start sectors: 2
    Request sent to Disk status was successful

    - If there is a bad sector separating the inital part, let's say 1%, which is already decrypted, isn't there a way to "skip" some bad sectors and ask PGP to manually continue to decrypt the rest of the disk ?

    In theory I could even idenify the specific sectors which are bad.

    Thanks to any help I could get. Unfortuanately the data I lost was very valuable and not backed up.



  • 2.  RE: Unable to recover data from faulty encrypted drive.

    Broadcom Employee
    Posted Jul 31, 2014 10:27 AM

    Hi nicowalk,

    From your post looks like you only used a PGP Recovery Boot CD as the ony method to get access to the disk in first play trying to decrypt.

    Not having a backup PGP Recovery Boot CD should be the last resort method.
    You should first try to SLAVE the drive to another machine trying to authenticate to the disk and recover data.

    Now with the image and the issue trying to decrypt the drive I would try to use the following pgpwde.exe command to know which users are added to the disk:

    pgpwde --list-users

    (using a user and passprhase to decrypt the drive or using WDE Admin passphrase if it was setup depending if your SED was managed or Standalone client)

    Your disk is instrumented and has got a valid session key and important fact: "Encryption removal process is running in the background"

    Try to decrpt with the following commad relying on this KB for example: (most probably it will not work)

    PGP WDE Command-line Tool Guide
    http://www.symantec.com/docs/TECH204285

    pgpwde --decrypt --passphrase <passphrase> --disk 2

    then try:

    pgpwde –-resume –-disk 2 –p “your passphase”

    to see if it's taking any affect resuming decryption process running in backgroudn

    Here is the KB: http://www.symantec.com/docs/TECH165872

    There is no chance to skip any bad sectors on encrypted drive (during decryption process which is automated) and in general FORMAT command should do this by marking the sectors as "not usable" allowing to use a PGP encryption software again. If it doesn't work then the "low level format" should be done in first place before re-image which is also a delicate operation. One of the tools for low-level-format can be found here: http://download.cnet.com/HDD-Low-Level-Format-Tool/3000-2094_4-75544788.html

    My personal opinion is that having any HDD which is potentially with bad sectors marked or not (causing any problems in first place ) SHOULD NOT be used with encryption at all. Sooner or later this will cause a problem.

    HTH