Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

'WDE-ADMIN' group in PGP 3.3.0 MP1 (10.3.0 MP1for client)

Created: 10 May 2013 | 9 comments
AskU's picture

Hi all,

I'm managing a PGP Encryption Management Server with some PGP clients manually installed (Disk Encryption is enabled).

In one pc probably the disk encryption has not been done well. This pc cannot decrypt its disk using PGP client (if I open the client and press decrypt, it asks the user password and then says that the user, ex. 'testuser01', I' m using has not rights to do that). Same problem if I try to decrypt using Admin passphrase. So, no one can decrypt the disk.

I was thinking about using WDE-ADMIN global security A.D. group. I have created that, and put a new user inside (ex. wdeadmn).

After that, since I log in at the PGP Bootguard with a normal domain user ('testuser01') I launch the command (note that the pw is the 'wdeadmn' one).

pgpwde --decrypt --disk 0 --admin-authorization --ap **********

it says: Error code -11500: bad passphrase.

Where is the problem?

Can anyone help me?

thanks

Operating Systems:

Comments 9 CommentsJump to latest comment

Alex_CST's picture

doing the WDE-ADMIN after the fact will be of no use unfortunately, the machine is in a pre-boot scenario it cannot get any policy updates.

The only way will be through the WDRT which you will be able to do as you are in a managed scenario.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

AskU's picture

Hi, I am not in Pre-boot.

I'm just logged in the Operative System. From there I cannot decrypt!

Alex_CST's picture

have you tried forcing a policy update? 

Either way, the WDRT is still the best way to go.  You first verify the WDRT of the user of the disk:

pgpwde --disk <Disk #> --verify-user --rt <Whole Disk Recovery token>

then:

pgpwde --disk <Disk #> --decrypt --rt <Whole Disk Recovery token>

example:

pgpwde --disk 2 --decrypt --rt 91J56-ZGYE1-25F06-HUT4V-CQUK2-YJE

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

AskU's picture

OK, so... unfortunately policy update doesen't work (says 'unable to download policy at this time').

In the first command you wrote, the option --rt doesn't exist.

If I launch the second one it says 'Error code -11500: Bad passphrase'. The WDRT I wrote is correct, instead.

AskU's picture

I have noticed that this PC was used during a PGP P.O.C. with 3.2.1 version. Probably the previous client wasn't unistalled correctly, so now the Encryption Server sees two different instances (10.2 ver and 10.3 ver). See the attachment.

Moreover, I have seen by Encryption server that there is no 'Authorized user' for both instances (see attachment).

Any suggestion?

Thanks

Disks.jpg Nouser.jpg
Alex_CST's picture

That "last seen" date is a bit worrying.  If you cant update the policy then your installation cannot contact the Universal Server.  You need to be able to community with the UN to get policy updates - that needs to be looked at first really otherwise the problems wont go away.

http://www.symantec.com/business/support/index?page=content&id=TECH149645

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

AskU's picture

I have done a re-enrollment of the user and fortunately everything has gone fine!

Alex_CST's picture

Good to hear!

Please mark posts as solutions if they solve your problem!

http://www.cstl.com