File Share Encryption

 View Only

  • 1.  PGP WDE - Allow users to decrypt?

    Posted Feb 03, 2012 11:57 PM

    Hey Guys -

    With respect to managing the PGP universal server, is it recommended practice to enable 'allow users to decrypt' or would that pose a security risk?   One the one hand, we have the 'allow users to decrypt' disabled on our primary policy.   We have another policy that allows decyption.   it's become frustrating to have an encrypted workstation change policies when it's in BSOD or simply malfunctioning.  

    On the other hand, it seems risky to allow decryption, in case the laptop is ever stolen or lost. 

    Any thoughts?



  • 2.  RE: PGP WDE - Allow users to decrypt?

    Posted Feb 04, 2012 08:39 AM

    I don't see how allowing the user to decrypt would have any negative impact on a stolen laptop if it is encrypted.  It seems the problem would be that if the user is allowed to decrypt, that some people may wind up carrying around decrypted computers. 



  • 3.  RE: PGP WDE - Allow users to decrypt?

    Posted Feb 04, 2012 03:26 PM

    Thanks Tom.  You're always helpful.  I thought the same thing, as the thief would need to bypass the whole disk encryption / boot guard before being able to decrypt.  Additionally, a passphrase is required for decryption.  I posted the question in hopes that I may have missed an angle by allowing the decryption.   Is it common for organizations to allow decrypting though?   Also, since the problem we're running into is when the laptop is in a BSOD state, is there an easier way to allow decryption on the fly?    Thanks as always



  • 4.  RE: PGP WDE - Allow users to decrypt?

    Posted Feb 04, 2012 03:43 PM

    I don't know how common the allowed decryption is.  My only experience is with PGP Corporation that left me able to do anything, and now Symantec which controls everything at the server level and I'm not even able to access PGP Options.

    If you can't boot and access PGP Desktop for the decryption, your options are pretty limited.  You have the option of using the WDRT for booting, but I don't know if there is a way to somehow use this for decryption if you can't boot.  You can decrypt by attaching the disk to another machine with PGP installed, or by using the WDE Recovery CD.



  • 5.  RE: PGP WDE - Allow users to decrypt?

    Posted Feb 04, 2012 04:42 PM

    Are you Symantec/PGP staff or just volunteering your knowledge? 

    Our main issue at the moment is when a drive goes into BSOD.   We have to spend almost 6 hours decrypting by putting the drive as a slave.  Then of couse, it never accepts the password so I have to run the commands.  

    Would the WDE Recovery CD help this case or is it limited to what sort of BSOD it is?



  • 6.  RE: PGP WDE - Allow users to decrypt?
    Best Answer

    Posted Feb 04, 2012 05:52 PM

    I have contractual status with Symantec.

    If using a recent version of PGP, it is possible that booting from the WDE Recovery CD might resolve booting problems.  Negatives of using the Recovery CD include that the decryption must not be stopped until it completes, and it uses slow 16 bit processing.



  • 7.  RE: PGP WDE - Allow users to decrypt?

    Posted Feb 05, 2012 08:36 AM

    Many thanks Sir



  • 8.  RE: PGP WDE - Allow users to decrypt?

    Posted Feb 06, 2012 06:53 AM

    Rather than using the Recovery CD (which is a 16bit mini linux) you can create your own customized Windows PE disc (include PGP WDE driver and cmdline) using this acrticle: http://www.symantec.com/docs/HOWTO64225

    The benefit is, you can put all your rescue tools on the PE disc as well, in order to fix the configuration by still having the drive encrypted.

    Or if you need to decrypt it, it will run much faster with the PE disc, since it is 32bit.