ElcomSoft falsely claims their product could crack Symantec Drive Encryption


Article ID: 157671


Updated On:


Drive Encryption


Symantec was made aware of a claim made by ElcomSoft that their product could decrypt PGP containers (as well as other Full Disk Encryption competitors). After review of their blog and with the Symantec Encryption Engineering team, the conclusion is that this claim is false.



The weakness is not the Crypto Containers. The keys are held in memory so the system can read and write information in real-time versus asking a user to constantly enter the passphrase to unlock the data for access.



Retrieving Decryption Keys in an Ideal World

When a system is encrypted with Symantec Drive Encryption (previously known as PGP Whole Disk Encryption), it is not possible to access encryption keys from the hibernation file when the system is in its hibernation state or shut down.

Symantec Drive Encryption encrypts the entire disk, including any hibernation partition or hibernation file. If the hibernation file could be extracted it could be viewed, however the contents would be fully encrypted, just like anything else on the disk so the data would be useless. 

In an ideal situation there is potential to retrieve the keys when the system is powered on, however at this point access to the system has already been obtained via authentication of the passphrase at Symantec Drive Encryption’s pre-boot authentication screen.

A system left running, but unattended, is vulnerable to tools and attacks that read encryption keys from the memory of the running system.

If you are concerned about such an attack, always hibernate or shut down your system when it is not physically secured.