File Share Encryption

 View Only

  • 1.  Where on disk does PGP Whole Disk Encryption save original MBR?

    Posted Feb 25, 2014 09:14 PM

    I think I've finally got a decent technical understanding of how PGP interacts with the MBR, thanks to the link here (http://www.storagecraft.com/support/forum/missing-operating-system-after-bare-metal-restore-pgp-volume).

    Basically, Symantec uses up to the first 63 sectors (track 0) for their PGP MBR. The original MBR is backed up. When the disk is instrumented, the original MBR is restored. My question is where is the original MBR stored on the disk? Somewhere on the hidden track (read: track 0) or within one of the encrypted partitions? When you back up the MBR, I'm assuming it backs up the Master Partition Table and disk signature, in addition to the Master Boot Code (basically, all 512-bytes).

    Also, when running the PGP WDE --recover command, I see it searches throughout the disk. Is it searching for a signature, at the low-level, or is it searching at the file-level? It looks like it's combing through sectors, so I'm thinking it's looking for a particular signature to attempt to piece together the PGP instrumentation of the disk.



  • 2.  RE: Where on disk does PGP Whole Disk Encryption save original MBR?

    Posted Feb 26, 2014 04:23 AM

    Usually PGP WDE knows where the original MBR is, which is why the --recover takes a while.  The --recover switch assumes it has lost or otherwise the original MBR, and goes through sector by sector looking for it.  It's not at a file level.

     

    Obviously with PGP being implemented, it moves the MBR.  I don't actually know where it moves it to.  I would assume traditionally its right next to the PGP MBR.  Symantec techs would need to verify this.



  • 3.  RE: Where on disk does PGP Whole Disk Encryption save original MBR?

    Broadcom Employee
    Posted Feb 26, 2014 08:16 AM

    Hi JackAllTrades,

    The --recover switch will search throughout the entire disk (sector-by-sector) for the backup of the user records, thus a low-level operation.

    You can use a tool like DiskProbe and search for the MBR signature.
    It should be possible to find the PGP user records, if they exist.
    Regarding the "original MBR" I'm not sure if it is in clear in an encrypted disk, I think it is encrypted.


    Rgs,
    dcats



  • 4.  RE: Where on disk does PGP Whole Disk Encryption save original MBR?

    Posted Feb 26, 2014 03:49 PM
    Hello Alex_CST,
     
    I had thought the recover command is searching through the drive to locate the PGP user records, as dcats pointed out.
     
    According to this article (http://www.symantec.com/business/support/index?page=content&id=TECH149631), in the case of a corrupt MBR (PGP MBR?), the article outlines to use the PGP fixmbr and recover commands, in that order. I'm presuming the PGP fixmbr command, as opposed to Microsoft's fixmbr, attempts to repair the PGP MBR, not the original MBR. It wouldn't make sense to restore the original MBR and then run try to recover the PGP user records. 
     
    I would think you're correct; The PGP MBR is not encrypted and storing the original MBR next to it sounds logical.
     
    Hello dcats,
     
    Thank you for the tip. I'll definitely take a look at DiskProbe. I would be quite curious to examine if your software is writing the original MBR in plaintext (track 0) or encrypted space. I would think next to the PGP MBR makes more sense, especially with exotic PGP system configurations like multi-boot OS or individual encrypted partitions, where one or more OSes are encrypted.
     
    Thank you both for your help.