How to Authenticate or Decrypt a disk from the Command Line Using a WDRT
search cancel

How to Authenticate or Decrypt a disk from the Command Line Using a WDRT


Article ID: 153502


Updated On:


Drive Encryption Encryption Management Server


In Symantec Encryption Management Server (formerly PGP Universal) environments with the appropriate policy, Whole Disk Recovery Tokens (WDRTs) are created automatically when a disk, partition, or removable disk is whole disk encrypted. They are sent to the Management Server, managing security for the disk or partition when they are created.

WDRTs can be used to access the disk or partition in case the passphrase or authentication token is lost. Once a WDRT is used, it cannot be used again, and another WDRT would need to be retrieved from the Management Server.


This article details the steps to authenticate a disk via the command line using a WDRT.

  1. Open a Command Prompt.
    • Click Start>Run, type cmd and click OK.
    • Or, click Start and search for "Command Prompt"
  2. Change to the Encryption Desktop directory.
    • On 32-bit Windows, type: cd C:\Program Files\PGP Corporation\PGP Desktop
    • On 64-bit Windows, type: cd C:\Program Files (x86)\PGP Corporation\PGP Desktop
  3. To list the visible disks on the system, type pgpwde --enum 
  4. Verify the WDRT of the disk by typing pgpwde --disk <Disk #> --verify-user --rt <Whole Disk Recovery token>
    • Change the disk number depending on which disk you are trying to authenticate
    • Do not include the <> brackets
  5. To unlock the drive, accessing the data whilst keeping it encrypted, type pgpwde --auth --disk <#> --rt <WDRT> 
  6. To decrypt the drive, removing the encryption on it, type pgpwde --decrypt --disk <#> --rt <WDRT> 

For example, to decrypt disk 2 with a WDRT, use: pgpwde --disk 2 --decrypt --rt 91J56-ZGYE1-25F06-HUT4V-CQUK2-YJE