Endpoint Encryption

Hi,

Trying to encrypt disk 0 using --fast switch.

The various bits of documentation for this version conflict slightly with each other.  Per other posts on this forum and Symantec tech docs, the recommended command for implementing the --fast switch seems to be:

pgpwde --encrypt --disk 0 --passphrase '<PASSPHRASE>' --fast

However this fails with error 11973: resources unavailable

On searching for a reason for the error, I found this page which states --encrypt is deprecated and to use --secure instead.  NB: The linked page refers to version 10.2.1, however I'm hoping it's a safe assumption that if --encrypt was deprecated in 10.2.1 then it will also have been deprecated in 10.4.0, despite what the PGPWDE documentation (PDF) and --help file (pastebin) both state.

So, using --secure, the command then becomes:

pgpwde --secure --disk 0 --user <USER> passphrase '<PASSPHRASE>' --fast

This gets passed successfully to the PGP Desktop GUI and encryption commences, however the --fast switch is seemingly ignored and PGP Desktop encrypts the whole disk including empty sectors.  The reason I think this is that when using the above command to encrypt a 500GB disk with 437GB free space, the "encryption progress" indicator in the desktop GUI states:

xx.xx% Complete - yy.yyGB of 465.8GB encrypted - [time] remaining

yy.yyGB starts at zero and rises to the full capacity of the disk.  I have wondered whether this indication is a red herring (and perhaps only the used sectors were being encrypted despite what it states) however encryption time is about the same regardless of whether the --fast switch is specified or not, leading me to believe that it is in fact accurate and the whole disk, including free space, is being encrypted.

The reason I need a fix for this is that my org uses 10.4 globally and I wish to encrypt a SATA SSD but retain the benefit of wear levelling.

TIA for any assistance.

Bruce

Update for anyone with same problem.

Contrary to the advice given in TECH191262, --encrypt is not deprecated.

Per PGPWDE CLI documentation, --secure is a combination of three commands, namely:

--instrument
--add-user
--encrypt

The --fast or --fast-mode switch, whilst seemingly ignored when passed as part of the --secure command, appears to work as advertised when used against the --encrypt part of the above command sequence.  e.g:

pgpwde --instrument --disk 0
pgpwde --add-user --disk 0 --username "Username" --passphrase <PASSPHRASE>
pgpwde --encrypt --disk 0 --passphrase <PASSPHRASE> --all --fast-mode

The encryption progress still appears to show the entire disk being encrypted, however the operation completes much more quickly (~1.5hrs vs ~6hrs for a 500GB disk with ~25GB used on a Core i5 machine running Win7 x64).

The operation time doesn't appear to make much sense (i.e. I would expect it to complete much more quickly given the minimal volume of data to be encrypted) so if anyone knows of a way to verify the state of empty sectors following encryption I would appreciate a pointer.