Symantec Drive Encryption 10.2.1 for Mac OS X can automatically encrypt a disk to which no known passphrase will unlock

book

Article ID: 158553

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

Symantec Drive Encryption 10.2.1 for Mac OS X can automatically encrypt a disk to which no known passphrase will unlock. 

 

Cause

Mac OS X uses a Utility called Keychain Access, which can store passwords, link other accounts to be unlocked automatically when a particular keychain is unlocked, etc. Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption) also uses the Keychain Access utility for Enrollment of the Symantec Drive Encryption client to the Symantec Encryption Management server (SEMS - formerly known as PGP Universal Server).  The entries Symantec Encryption Desktop creates in Keychain are listed as "PGP Passphrase", "PGP LDAP" and "PGP Universal Auth Cookie".  The "PGP Passphrase" entry will be associated to the user who enrolled to SEMS.  Each of these entries are protected with a password that can only be unlocked if the current keychain password is known.  Multiple entries may also exist if multiple users have enrolled on the system.  It is possible older entries for the same user may exist in which the passphrase may no longer be known.

 

With Symantec Drive Encryption 10.2.1, if there were any pre-existing PGP entries in Keychain Access, in which the password for those particular entries is currently not known, a Drive Encryption user can be added to the disk, and therefore no passphrase will be known to allow authentication to occur.

 

What happens during a normal encryption process with the above conditions is the user enters his/her LDAP credentials to enroll.  The enrollment process configures a PGP Key, and then adds a user to the disk for Symantec Drive Encryption.  A pop-up will appear to confirm the Drive Encryption passphrase matched what was just used, and if this matches, normal encryption will occur.  If the passphrases do not match, then the window will not accept the passphrase.  If the user then clicks "cancel" to this pop-up window, and error "PGPError #-1" occurs.

 

The end result is the user is left on the disk and no known passphrase is set for that user and there would be no way to authenticate the drive, or decrypt, unless a WDE Admin Passphrase was added to the disk.  Also try using a Whole Disk Recovery Token to gain access to the system in this case.

 

Resolution

The workaround to this issue if using Symantec Drive Encryption 10.2.1 is to clear out *all* of the Keychain Entries Symantec Drive Encryption creates as specified above.  Re-enrollment of the client is then needed to recreate fresh Keychain Access entries.  The new PGP entries that are added to Keychain Access will have the current and known passphrase added to them, and the Symantec Drive Encryption user is properly added to the disk.

 

This issue has been resolved in Symantec Drive Encryption 10.3.1 and above.

 

For information on how to reenroll a Symantec Encryption Management Client for Mac OS X, please see KB TECH178358.

 


Applies To

*Auto-encrypt has been enabled for drive encryption.
*silent enrollment is enabled.
*Drive was previously encrypted, but was later decrypted.
*Once drive was fully decrypted, user then logged out of machine and or rebooted system and logged back in to user profile.