Using Whole Disk Recovery Tokens
search cancel

Using Whole Disk Recovery Tokens


Article ID: 153272


Updated On:


Drive Encryption Encryption Management Server


Whole Disk Recovery Tokens (WDRT) allow server Symantec Encryption Management Server (previously PGP Universal Server) administrators the ability to remotely regain access to a drive that has been whole disk encrypted. The WDRT can be used if the usual authentication method is unavailable (for example, if a user forgets their passphrase).


Whole Disk Recovery Tokens are associated with encrypted devices, not single computers or single users.  A single computer can be associated with multiple encrypted devices.  If multiple users have accounts on the same device, they share the same token.  Whatever you do with the token affects all users sharing that device.  Each encrypted device has only one Whole Disk Recovery Token (WDRT).

If the user whose settings you are viewing has one or more Whole Disk Recovery Tokens stored on the server, each token will be listed in the WDRT column of the Whole Disk Encryption section for the User.

Note: As WDRT strings contain both letters and numerals, it can be difficult to tell the difference between certain letters and numerals, Whole Disk Recovery Tokens use letter and numeral equivalencies.  Therefore you can type either letter or numeral when you use a token, and the token string will be accepted. The following are interchangeable:

Letter B and numeral eight (8)
Letter O and numeral zero (0)
Letter I and numeral one (1)
Letter S and numeral five (5)

Recover an encrypted disk using a Whole Disk Recovery Token

  1. Log into the Symantec Encryption Management Server administrative interface
  2. Click Consumers and then select Users.
  3. Select the user which you want to view the WDRT for. The Internal User Information dialog appears.
  4. Click Whole Disk Encryption tab then click the View icon in the WDRT column. The recovery token string appears.
  5. Provide the information contained in the WDRT to the user.
  6. On the PGP BootGuard screen of the end user, the user enters the Whole Disk Recovery Token to unlock the disk. When entering the token, it is not necessary to enter the hyphens in the string.

Note: Once the token is used, it is presented as a broken or opened token, and a new token is automatically generated by Encryption Desktop and synchronized with the SEMS as soon as the user logs in. The new token will then re-appear as unviewed or valid.