File Share Encryption

Hi,

I am using Symantec PGP Encryption Management Server 3.3.2 MP11 and Symantec Encryption Desktop 10.3.2 MP11 for Whole Disk Encryption on clients. The clients are on Windows 7 and are enrolled properly. The drives are encrpyted and everything is functioning normally. 

We are currently doing domain migration from multiple AD domains to one single consolidated AD domain. I was following the steps outlined in below article for migrating Symantec Encryption Desktop / PGP Desktop Users from one Active Directory Domain to Another.

https://support.symantec.com/en_US/article.HOWTO85071.embed.html

However, after the below steps i get the passphrase prompt that i have captured in the screenshot.

• User32 is prompted to enrol and enters their pwpgp credentials.
• Universal Server does an LDAP lookup on the AD server hosting the pwpgp domain and finds user32.
• PWPGP\user32 is in the AD security group pwpgpgroup which is linked to the WDE-users Consumer Policy, ie, no change of policy.

My question is what is this prompt and why i am getting it?

It is a prompt for your key passphrase to sign the new Organization Key in the server you are migrating to.

Hi Mike,

Many thanks for your reply. I would like to know the following things:

1) The steps in the HowTo article doesn't have any reference to this key passphrase prompt so why i am getting it? Did i did something wrong and as a result this is coming or is this normal beahvior? 

2) Is there anyway to suppress this? All the clients are getting this promopt when they try to enrol. 

It is due to the key mode currently in use.  Are the clients using any other encryption functionality other than Whole Disk Encryption?  If not, you could delete the keys before the enrollment/migration process.  I would recommend using SKM mode only, or the users will still be asked to create a password for the new keys, which is going to be the same type of hassle.

This is a sample script of how one might perform this whole process in a batch file.  All testing or implementation of this type of script is to be done at your own risk.  Scripting is outside of the scope of support for Symantec Technical Support personnel.  PGPStamp64.reg and PGPStamp32.reg refers to a regedit file for the PGPStamp change (64-bit and 32-bit):

--------------------------------------------------------------------------------------------------------------------------------

@echo off

TASKKILL /F /IM PGPtray.exe
del "%appdata%\PGP Corporation\PGP\*.xml"
del "documents\PGP\*.pkr"
del "documents\PGP\*.skr"
if exist "c:\program files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe" start "" "\\Server\Share\PGPStamp64.reg"
if exist "c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe" start "" "\\Server\Share\PGPStamp32.reg"
if exist "c:\program files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe" start "" "c:\program files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe"
if exist "c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe" start "" "c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe"

--------------------------------------------------------------------------------------------------------------------------------

Below is a sample of the registry edit file PGPStamp.reg I mentioned for 32-bit:

--------------------------------------------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP]
"PGPSTAMP"="ovid=myserver.mydomain.com&mail=*&admin=1"

--------------------------------------------------------------------------------------------------------------------------------

Below is the same for 64-bit:

--------------------------------------------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PGP Corporation\PGP]
"PGPSTAMP"="ovid=myserver.mydomain.com&mail=*&admin=1"