File Share Encryption

Here is an issue I met today.

Environment:

• Windows XP 32bits
• PGP Desktop 10.3.0
• One HDD in the system
• 4 partitions, C(boot), D(encrypted), E,F

I encrypted partition D weeks ago, and it worked well until this morning. 

The computer boots without Bootguard showing (or flashly skipped). The partition D can't be accessed and it is prompted like "This partition need to be formatted.". I can't find partition D in PGP Disk window, and only C,E,F is listed. But in Windows Disk Management, the partition D is shown no filesystem and working fine.

PS: I have the passpharse.

The following text is the output of several pgpwde commands 

There is some important files in partition D. ReInstallation PGP Desktop and re-instrument has been tried.

But I havn't try data recovery softwares. I don't think they will work for encrypted partition.

Is any possibility I can get my files back? Any suggestion will be appreciated.

Hi,

Most probably you don't have a backup of all your important data at all so I would do the following steps:

1.  I would certainly do a bit by bit copy of the disk for example with (CloneZilla - http://clonezilla.org/ or dd for windows - http://www.chrysocome.net/dd

2. I would still run a --recovery command but because there are no users found this most probably will not take an affect:

PGP WDE Command-line Tool Guide
http://www.symantec.com/docs/TECH204285

pgpwde --recover --passphrase "password" --disk 0

3. Uninstrument the disk with the command

pgpwde --uninstrument --disk 0

as there are no users found and then verify if the drive is accessible.

HTH

Thanks Adam,

But the thing went worse. I did a stupid try before I read your comment.

I thought, there is no user in disk 0, whatif I add one for it?

I just did, and reboot!

pgpwde --add-user --disk 0, --user myusername -p mypassphrase 

But, when the computer booted, the bootguard prompted, and "mypassphrase" didn't match. I entered the "Advance" option, it was said disk0 0% encrypted. I could never boot into the OS!

I plug the hard disk off, and connect to another system with same version pgp installed. The partitions C, E, F can be accessed. I try to "uninstrument" or "fixmbr", but both of them fail  because the passphrase dosen't match.

Now, I'am doing a bit by bit copy of partition D with "dd". What should I do next? Can the partition-d-copied-file convert to a PGP virtual Disk?

Hi PGP-BIG-HEAD,

If you try to add a user and it did not fail what is the status now for

pgpwde --list-users --disk 0

Do you see this user being added.

What is in fact current status of encrpted D partition on your drive. Is it the same as on the first post or sth has changed ?

Can you try to verify user while having drive SLAVED by the command to check if the password is OK

pgpwde --verify-user --username "USERNAME" --passphrase "PASSPHRASE" --disk 0

if it's successull I would give a go and try to authenticate:

pgpwde --disk 0 --auth -p <passphrase>

Note: on Slaved drive most pobably this will be --disk 1

If above steps fails I can only see after bit by bit copy to run  --recover and later --unistrument.

It is not possible ( at least I am not aware ) of any convertion of encrypted partition to PGP virtual disk

HTH

Thanks Adam,

The problem disk is connected to another computer now, so its index is disk 1.

Nothing has changed in encrypted partition D.

The verify operation failed.(Is the quotes necessary? Cause I didn't use it when do the add-user operation).

The recover operation return

Operation recover disk failed:
Error code -12220: Disk already managed

The uninstrument operation return

Operation uninstrument disk failed:
Error code -12220: Disk already managed

Update.

I rebuild the mbr with DiskGenius. The status of the problem disk turns to be "not instrumented by bootguard".

I just run 

pgpwde --recover --disk 2 -p mypassphrase 

It seems working.

Now it is keeping prompting:

<numbers> sectors searched, <numbers> sectors to go.

Is the mericle happening?

Hi PGP-BIG-HEAD,

Well, disk (partition D) was instrumented so if it was encrypted then --recover will search for the backup records and restore them of course if the operation not fail in between. Please be patient and wait.

You have also rebuild your MBR with DiskGenius so I can't predict the consequences as for now.
You should try do it first with --fixmbr.

Having error code  Error code -12220: Disk already managed means that previously as per policy it was setup to not allow users to managed the disk(encryption, decryption, allow user management). You can check if this is related to Removable Disks (SEMS > Consumers > Consumer Policy > Default > Desktop Button > Drive encryption tab ) so this can prevent your current machine where SLAVED disk is connected to run this operation.

Anyway let's wait and see how --recover process end up.

BAD LUCK

The recovery ends and outputs:

Found Primary BGFS record on sector 60499007

Found backup BGFS record on sector 17

Recovery failed!
Operation recover disk failed:
Error code -11984: item not found

My reckless operation always make things worse. I decide not to do anything without your advice.

PS: Where I can find this (SEMS > Consumers > Consumer Policy > Default > Desktop Button > Drive encryption tab ) ?

Hi PGP-BIG-HEAD

Hmm, if you manage to do a bit-by bit copy of the disk before you did anything else from your site I would stll try to use this disk and run --recover again as there were some backup records found ( Found backup BGFS record on sector 17). Potentialy this records were not restore due to changes done on your site.

You need to navigate to your Symantec encyrptiong management server (PGP Universal Server)

(SEMS > Consumers > Consumer Policy > Default policy or policy where the user exist > Desktop Button > Drive encryption tab )

HTH

My PGP version is 

• PGP Desktop 10.3.0

I can't find Symantec encyrptiong management server in my computer.

 Should I Install "PGP Universal Server" additionally? 

Hi PGP-BIG-HEAD,

No if you don't have it means you have only a Standalone PGP Client installed so nothing can be done on this part.

Currently as a last resort option I see to use a bit by bit copy of the disk and run again --recover.

Potentialy you could still use a WinHex editor to restore manually a backup record but this is very delicate, high level manual operation which can aslo fail and would require from you to open a case with Symantec.

Hi Adam,

Well, I'am doing the backup now.

Is there any tutorial for restoring manually? I'll do my last try, and have to give it up if fail.

Thank you all the same for your help and patience.

Hi PGP-BIG-HEAD,

I am afraid we don't have as this is not a standard and easy quick fix.

There was the thread using WinHex but related to a bit different problem below:

http://www.symantec.com/connect/forums/pgp-encryption-paused-00

HI Adam,

Finally, I GIVE UP. 

I thonght, the problem should be soloved, if I exactly followed your advise step by step.

Unfortunately, I haven't backup my disk before I tried myself. But thank you all the same.

Hi, PGP-BIG-HEAD

Thank you for your feedback. Following the steps most probably we could solve the issue.

I strongly recommend you to ALWAYS run a backup if not of all but at least of the most important data on encrypted drive.

Thank you.