Unable to Encrypt Disk Using Symantec Drive Encryption for Linux (formerly PGP Whole Disk Encryption)

book

Article ID: 155925

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

When attempting to encrypt a disk using the pgpwde --secure command you encounter the following error:

Error code -11990: read failed
 

Cause

This is usually caused by some instrumentation being left behind in the Master Boot Record (MBR) from a previous encryption performed on the disk.  This can happen when encrypting your disk and then removing the partition tables, reformatting and reinstalling the Linux operating system over the top of the encrypted disk or re imaging the disk.  You can tell if you are affected by this problem by running a command to check the status of encryption on the disk:

pgpwde --status --disk 0 (replace disk 0 with the correct disk number if this is not the primary drive that you are working with)

Check if the output of this command states that the drive is instrumented but the instrumentation data is invalid.

 

Resolution

You can wipe the disk using several methods (varied success has been reported with the dd commands). The full disk wipe (method 2) appears to produce better results but takes more time.
 
Method 1 (replace MBR method)
 
Zero out the MBR using a DD utility
 
1) Boot off a Linux Live CD (you will most likely not be able to modify the MBR while booted into the affected OS)
 
2) Run the dd command to wipe the drive (it's possibly you may have to install the dd utility using your Linux package management system for your distribution first)
 
dd if=/dev/zero of=/dev/sdX bs=446 count=1
 
Note: Replace "X" in the of field with the drive that is your boot drive.
 
Example:
 
Disk 0 (/dev/sda) is your primary boot drive
 
dd if=/dev/zero of=/dev/sda bs=446 count=1
 
3) If you are doing this on a system that hasn't had the operating system installed on it you should be fine to install the OS now if not, proceed to Step 4
 
4) Mount the / and /boot partitions
 
mkdir /mnt/sysimage
mkdir /mnt/sysimage/boot
mkdir /mnt/sysimage/proc
mkdir /mnt/sysimage/dev
mkdir /mnt/sysimage/dev/pts
mkdir /mnt/sysimage/sys
 
mount /dev/sda2 /mnt/sysimage (or whatever partition number is the root partition)
mount /dev/sda1 /mnt/sysimage/boot (or whatever the partition number is for the boot partition)
 
5) Mount /proc and /dev
 
mount -o bind /proc /mnt/sysimage/proc
mount -o bind /dev /mnt/sysimage/dev
mount -o bind /dev/pts /mnt/sysimage/dev/pts
mount -o bind /sys /mnt/sysimage/sys
 
6) Chroot into the environment
chroot /mnt/sysimage /bin/bash
 
7) Re-install grub boot loader
grub-install /dev/sda
 
 
Method 2 (full disk wipe method)
 
Note: This method will require a restore of your data from backup and reinstalling the Linux operating system as it wipes the entire drive
 
2) Wipe the disk (usually just a quick wipe is sufficient).
3) Reinstall the operating system.
4) Encrypt the drive again.

Applies To

Symantec Drive Encryption (formerly PGP Whole Disk Encryption)

Linux 2.6 kernel or newer