Symantec Encryption Desktop (SED) - Using Local Self Recovery
search cancel

Symantec Encryption Desktop (SED) - Using Local Self Recovery


Article ID: 150218


Updated On:


Drive Encryption




If you forgot your passphrase, and if your system is configured for it, you can bypass PGP BootGuard by answering three out of five security questions correctly. You create and answer the five security questions. This is similar to recovering your key if you lost the key or forgot the passphrase for the key.

Note: If you are using Symantec Encryption Desktop in a Symantec Encryption Server-managed environment, your Symantec Encryption Server administrator may have disabled the option for local self recovery (LSR). Your administrator may also have specified that LSR be configured during enrollment. In this case, you are prompted to enter the security questions as you set up Symantec Encryption Desktop. If Symantec Encryption Desktop does not prompt you to configure LSR, you can manually do so after encrypting an internal drive.

To create your security questions

1.  Using Symantec Encryption Desktop, encrypt your internal drive. You can use either a Passphrase user or a Windows SSO user.

2. Right-click the user's name in Symantec Encryption Desktop and select Add Security Questions.

Note: You cannot create security questions for the Drive Encryption-Admin user or the ADK.

3. Create and answer the five security questions. The user's name is displayed with LSR to the right (and a tool tip), to indicate that "local self recovery" has been configured for the user.

To recover your passphrase at PGP BootGuard

1. At the PGP BootGuard screen, press F4 or use the arrow keys to select Forgot Passphrase and press Enter.

2. On the screen that prompts you to select a recovery option, select Answer my questions to log into the system and press Enter.

3. Do one of the following:

  • If the screen prompts you to select username, select your username and press Enter.
  • If the screen prompts you to enter Drive Encryption username, enter your Drive Encryption username and press Enter.

These screens appear based on the LSR policy applied to the computer, the number of LSR-configured Drive Encryption users on the computer, and the type of PGP BootGuard screen enabled for the computer.

4. Answer the first security question displayed. Type the answer and press Enter.

5. Continue to answer the questions. You must answer three of the five questions correctly.

6 When you have answered the questions correctly, the Windows operating system begins to start up. When the Log On to Windows dialog box is displayed, enter your Windows login name and password.

When Windows has finished launching, the PGP Disk - Change User Passphrase dialog box is displayed.

7 Enter and confirm a new passphrase for the user, and click OK. The new passphrase is created for the user.

The Passphrase Quality bar provides a basic guideline for the strength of the passphrase you are creating. For more information, see The Passphrase Quality Bar (on page 268).

Normally, as an added level of security, the characters you type for a passphrase are not visible on the screen. If you would like to see the characters of your passphrase as you type, select the Show Keystrokes check box.

The same security questions are displayed if you forget your passphrase again. If you want to change your security questions, right-click the user name and select Add Security Questions.