Using Ghost with Symantec Endpoint Encryption Full-Disk 6.x

Is it possible to use Symantec Ghost disk imaging to back up the data on a machine that has Symantec Endpoint Encryption (SEE) Full-Disk installed?

Note: Distribution of SEE to multiple systems using a base image is not supported by SEE. The method described in this document is useful for back-up and restore of unique systems only.

Because the full disk is encrypted Ghost is not able to read the file system by default, and therefore cannot take a standard image. Two methods around this are possible:

Method 1:

Booting from the Symantec Endpoint Encryption Recovery-CD to be able to access the un-encrypted drive contents. 

Note: This method keeps the image much smaller, but it is not secure as the image is not encrypted. It is not therefore recommended except as an emergency imaging method.

(This method has been tested with Symantec Ghost 11.5)

• The Symantec Endpoint Encryption Recovery-CD loads an encryption/decryption layer and, after successfully providing login details, allows full access to the file system on the encrypted disk inside a WinPE environment. The 32-bit version of Ghost can be used at this point to take an image of individual partitions or of the full disk, which can be saved to a USB drive or over the network for example. The image will be a standard unencrypted ghost image, as the data is decrypted on the fly by the recovery CD encryption/decryption layer. The size of the image will be the size of the file data on the disk, or smaller when using compression.
• Restoring an image is not possible through the Recovery-CD encryption layer - Symantec Endpoint Encryption needs to be removed from the Master Boot Record (MBR) of the disk so that the image can be restored onto a "plain" disk. Removing the Symantec Endpoint Encryption MBR from the disk and re-creating a standard MBR can be done with gdisk.exe or gdisk32.exe from the Symantec Ghost tools (using the /MBR switch), or with the standard Microsoft fdisk.exe tool.
• The following is a working example of a two-partition configuration where a default image needs to be restored to partition 1, while keeping the 2nd user data partition intact
  
  • Setup:
    Machine with Symantec Endpoint Encryption Full-Disk 6.1 installed, one physical disk, fully encrypted, two partitions on the disk
    • Partition 1: System, to be restored from an already existing default image
    • Partition 2: User data, to remain intact on the disk after the operation
  • Steps:
    1. The machine is booted from the Symantec Endpoint Encryption Recovery-CD, a login allows access to the data on the encrypted disk
       1. The user partition is saved using Symantec Ghost to a USB drive backup location (the image created is un-encrypted, as data is decrypted on the fly by the decryption layer provided by the CD)
    2. The machine is rebooted and started from a regular Windows PE CD (with no SEE encryption/decryption layer)
       1. The disk is prepared for restoring the two images using the Ghost tools, by removing the SEE MBR and encrypted partitions (gdisk32.exe 1 /MBR and gdisk32.exe 1 /del /all)
       2. The default system image is restored onto the disk as the first partition
       3. The user partition backup image (saved in step 1.1) is restored onto the disk as the second partition
    3. Reboot - the machine can now boot from the local disk and both partitions are unencrypted
       1. If the SEE software was already present in the default system image restored to partition 1 (or if it is pushed out via group policies) the disk will re-encrypt again automatically in the background

Method 2:

• Taking and restoring a disk image of a machine with Symantec Endpoint Encryption Full-Disk installed is supported when using sector-by-sector imaging - see the following KB article:
  (This method is supported with Symantec Ghost 7.5 and later)
  
  Creating a Sector by Sector Ghost image of a hard drive encrypted with Symantec Endpoint Encryption
  
  The image will be roughly the same size as the full disk when using this method.

Technical Information
Restoring an image through the Recovery-CD encryption layer is not possible because of a set of SEE system files which the software stores on the first encrypted partition. These files are fully hidden and protected from the OS by a boot time device driver, which also prevents access to the SEE "real" MBR on the first sector of the disk (redirecting access to the standard MBR stored elsewhere).