The ADK can't be used to unlock PGP WDE encrypted disks at the bootguard

book

Article ID: 156509

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

The ADK is a central additional decryption key which is added to any PGP WDE encrypted harddisk. But at the bootguard this key fails to authenticate against the disk.

Cause

 

To be able to use the ADK on a token at the bootguard it should say "Type: PGP Key on Token".
The ADK is never added as a PGP Key on Token. This is only the case for WDE admin keys that can be specified in the Consumer Policies, or manually added token user-accounts.

The ADK can only be used from another running PGP Desktop where the disk in question is slaved as a secondary disk.

Example:
 

C:\Documents and Settings\test_user>cd "\Program Files\PGP Corporation\PGP Desktop"
C:\Program Files\PGP Corporation\PGP Desktop>pgpwde --list-user --disk 0
Total of 4 users:
        User  0: Name: Test_User Type: Symmetric
        User  1: Name: Corp WDE key <[email protected]> Type: PGP Key on Token ID: 0x67A8EECB
        User  2: Name: WDEUser2 Type: Symmetric
        User  3: Name: ADK_SIS Type: PGP Key ID: 0xE7D9D4C2  A: M

System Record Information:
  Serial Number: 1
      Disk UUID: 50b50170-4409-4904-b4aa-a5e98bcd201d
     Group UUID: 50b50170-4409-4904-b4aa-a5e98bcd201d
Request sent to List users on disk was successful
C:\Program Files\PGP Corporation\PGP Desktop>

Resolution

Use a WDE admin key instead. The WDE admin key can be configured in the Consumer Policy on the PGP Universal server.