PGP BootGuard Screen Remains after Decrypting Disk

Article Id: 158311
Status: Published
Updated On: 18-09-2013 11:35
Legacy Id: TECH209669
Products:
Drive Encryption
Issue/Introduction:

After decrypting a disk encrypted with Symantec Drive Encryption, when rebooting you are prompted to enter your passphrase.

Although the hard drive was decrypted, the hard drive is still booting using the PGPMBR or is instrumented by PGP BootGuard and requires a passphrase for authentication.

In most cases, the disk appears instrumented after decryption when one of the encrypted partitions becomes inaccessible. You can verify this from the Windows Disk Management Utility that shows one of the partitions as Raw.

Resolution:

Resolution(s)

Uninstrument the drive in question to remove PGP BootGuard instrumentation from the specified disk. To do this, use the following procedures.

Determine if the hard drive is still encrypted or instrumented by Symantec Drive Encryption:

  1. Click Start > Run.
  2. Type cmd and press Enter.
  3. Type cd\ and press Enter.
  4. Type cd Program Files and press Enter.
  5. Type cd PGP Corporation and press Enter.
  6. Type cd PGP Desktop and press Enter.
  7. Type pgpwde --enum and press Enter.

This command shows the current drives detected by Symantec Drive Encryption. The disks are labeled as Disk 0, Disk 1, Disk 2 and so on. Disk 0 is typically the boot volume or drive.

For the disk that you believe is encrypted by Symantec Drive Encryption, type pgpwde --status --disk 0 (or the disk number in question) and press Enter. This command shows the status of the disk. If the drive is still encrypted or partially encrypted, it lists a high-water mark value for the disk. The high-water mark depicts how many sectors are encrypted. If no disk with high-water mark is listed, and the message "Disk 0 is instrumented by bootguard" appears, then you need to uninstrument the disk.

If the disk still displays a high-water mark, you still have to decrypt the drive. If the Symantec Encryption Desktop graphical interface does not allow you to decrypt, you can decrypt from a command line. Use the command line interface only if the Symantec Encryption Desktop does not allow you to enter a passphrase and decrypt.

Caution: If any fixed disks are encrypted, decrypt them before you uninstrument disk 0.  Symantec Drive Encryption does not know if required system files exist on other fixed disks. Therefore, when any fixed disk is encrypted, the main boot disk is instrumented as well. Before you uninstrument the boot disk, other disks should be decrypted.

Decrypting from a Command Line

  1. From the command line, type pgpwde --decrypt --disk 0 (or the disk in question) --passphrase "enter passphrase here within double quotes" and press Enter.

    The decryption of the disk starts, and the PGP Tray icon shows its progress.
     
  2. After decryption is complete, type pgpwde --status --disk 0 and press Enter to verify if the disk is still instrumented.

    If the drive is not encrypted, the hard drive should boot normally. If the drive is still instrumented, but no high-water mark is displayed, proceed to the next step.
     

Uninstrumenting your system

  1. From the command line, type pgpwde --uninstrument --disk 0 (or for the disk in question) and press Enter.

    You will then be returned to the command prompt with no further message. This should uninstrument the drive and allow you to boot normally.
     
  2. Type pgpwde --status --disk 0 and press Enter to verify success.
  3. Reboot the computer and you should no longer be prompted for a passphrase.

    You can also use bootg.iso from a removable device to uninstrument a disk. Bootg.iso file is available in the Symantec Encryption Desktop installation folder.

    Bootg.iso provides the PGP BootGuard interface of Symantec Encryption Desktop when you run it from a removable device.
     

Uninstrumenting the disk using bootg.iso

  1. Run bootg.iso from a removable device to boot into the machine.
  2. Authenticate to bootg.iso interface using your credentials. After authentication, bootg.iso prompts you to press the D key from you keyboard to decrypt or any other key to boot into the operating system.
  3. Press the D key. Decryption and uninstrumentation of the disk starts.
  4. Remove the removable device, and restart the system.
  5. Type pgpwde --status --disk 0 and press Enter to verify success.
     

Note: You might need to format the partition before being able to use it again.