Unable to Encrypt Disk Using Symantec Drive Encryption for Linux (formerly PGP Whole Disk Encryption)

Products

Drive Encryption

Issue/Introduction

When attempting to encrypt a disk using the pgpwde --secure command you encounter the following error:

Error code -11990: read failed

Cause

This is usually caused by some instrumentation being left behind in the Master Boot Record (MBR) from a previous encryption performed on the disk. This can happen when encrypting your disk and then removing the partition tables, reformatting and reinstalling the Linux operating system over the top of the encrypted disk or re imaging the disk. You can tell if you are affected by this problem by running a command to check the status of encryption on the disk:

pgpwde --status --disk 0 (replace disk 0 with the correct disk number if this is not the primary drive that you are working with)

Check if the output of this command states that the drive is instrumented but the instrumentation data is invalid.

Resolution

You can wipe the disk using several methods (varied success has been reported with the dd commands). The full disk wipe (method 2) appears to produce better results but takes more time.

Method 1 (replace MBR method)

Zero out the MBR using a DD utility

1) Boot off a Linux Live CD (you will most likely not be able to modify the MBR while booted into the affected OS)

2) Run the dd command to wipe the drive (it's possibly you may have to install the dd utility using your Linux package management system for your distribution first)

dd if=/dev/zero of=/dev/sdX bs=446 count=1

Note: Replace "X" in the of field with the drive that is your boot drive.

Example:

Disk 0 (/dev/sda) is your primary boot drive

dd if=/dev/zero of=/dev/sda bs=446 count=1

3) If you are doing this on a system that hasn't had the operating system installed on it you should be fine to install the OS now if not, proceed to Step 4

4) Mount the / and /boot partitions

mkdir /mnt/sysimage

mkdir /mnt/sysimage/boot

mkdir /mnt/sysimage/proc

mkdir /mnt/sysimage/dev

mkdir /mnt/sysimage/dev/pts

mkdir /mnt/sysimage/sys

mount /dev/sda2 /mnt/sysimage (or whatever partition number is the root partition)

mount /dev/sda1 /mnt/sysimage/boot (or whatever the partition number is for the boot partition)

5) Mount /proc and /dev

mount -o bind /proc /mnt/sysimage/proc

mount -o bind /dev /mnt/sysimage/dev

mount -o bind /dev/pts /mnt/sysimage/dev/pts

mount -o bind /sys /mnt/sysimage/sys

6) Chroot into the environment

chroot /mnt/sysimage /bin/bash

7) Re-install grub boot loader

grub-install /dev/sda

Method 2 (full disk wipe method)

Note: This method will require a restore of your data from backup and reinstalling the Linux operating system as it wipes the entire drive

1) Download a disk wipe utility such as dban. http://sourceforge.net/projects/dban/files/dban/dban-2.2.7/dban-2.2.7_i586.iso/download

2) Wipe the disk (usually just a quick wipe is sufficient).

3) Reinstall the operating system.

4) Encrypt the drive again.

Applies To

Symantec Drive Encryption (formerly PGP Whole Disk Encryption)

Linux 2.6 kernel or newer