File Share Encryption

 View Only

  • 1.  Unmanaged WDE to Managed WDE (without decryption)

    Posted Mar 06, 2013 08:38 AM

     

    Hi all. 
     
    I'd appreciate any ideas on the following scenario.
     
    I'm dealing with some unmanaged encrypted disks, however now we're moving to a managed environment. The thing is that it'd be really good (in terms of time) to find a way to make managed encrypted disks those unmanaged encrypted disks without decryption.
     
    I've done some tests and deployed the policies created in the Encryption server into the unmanaged disks, we didn't decrypt the disks (to save a lot of time). The policy establishes deployment of SKM + ADK + disk admin passphrase + SSO integration. The unmanaged disks have their own admin and user. Therefore, after installing the agent generated from the EncServer (without uninstalling the previous one) we can see in the Encryption Desktop all of these users "old" and "new". BUT the problem is that I cannot delete manually the old users, we cannot add manually new users and the worst we cannot decrypt the disk with any user, old or new.
     
    I'm thinking as well that the policy from the Encryption server says to encrypt the Windows partition meanwhile the unmanaged deployment said to encrypt the whole disk, this might cause some "conflicts".
     
    Any thoughts?
     
    Any help would be very appreciated.
     
    Cheers.


  • 2.  RE: Unmanaged WDE to Managed WDE (without decryption)

    Posted Mar 14, 2013 01:26 PM

    Try changing the PGP Stamp.. In the Registry  PGPSTAMP to ovid=<IP Add of PGP UN>

    This should make the clients managed.

    WDE Admin passpharse will be updated, you should be able to add and delete users.

    Let us know what happens

     



  • 3.  RE: Unmanaged WDE to Managed WDE (without decryption)
    Best Answer

    Posted Mar 15, 2013 12:03 PM

    You can move unmanaged clients to managed clients without decryption

    Please refer to this article: http://www.symantec.com/docs/HOWTO79579

    The the users that can be added must be members of your AD.

    When you attemp to delete a user in PGP desktop, you'll be prompted for Password. Enter the enrolled user's PW it should work.

    ADK can be used to decrypt the disks or files that were encrypted after the ADK was created.

    Disk admin or WDE admin passphrase is only used to decrypt whole disk not files and can be used to log on to bootguard screen.

    In your case in order to serve the pupose of ADK & disk admin passphrase you must decrypt all the disks & encryprt again once they become managed devices.