ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Changing the encryption cipher for Drive Encryption requires the disk to be decrypted and encrypted again

book

Article ID: 161112

calendar_today

Updated On:

Products

Drive Encryption Encryption Management Server

Issue/Introduction

By default, Encryption Desktop Drive Encryption uses AES-256 encryption.

To change from AES-128 to AES-256 or vice versa requires the disk to be decrypted and encrypted again.

To determine whether AES-256 or AES-128 encryption is being used, run the following command at the command prompt on Windows x64:

"C:\Program Files (x86)\PGP Corporation\PGP Desktop\pgpwde" --status --disk 0 --xml |find "alg"

On Windows x32 run:

"C:\Program Files\PGP Corporation\PGP Desktop\pgpwde" --status --disk 0 --xml |find "alg"

If AES-256 is being used the output will contain:
      <currentkey valid="true" alg="9"/>
 
If AES-128 is being used the output will contain:
      <currentkey valid="true" alg="7"/>
 
Note that the Encryption Management Server does not record whether a client machine is encrypted with the AES-128 or AES-256 cipher.

Cause

This is by design.

Environment

  • PGP Desktop Whole Disk Encryption 10.0 and above.
  • Encryption Desktop Drive Encryption 10.3 and above.
  • Encryption Management Server 3.3 and above.
  • PGP Universal Server 3.0 and above.

Resolution

1. Update the Disk Encryption policy on Encryption Management Server to use AES-256 or AES-128.

2. Right click on the Symantec Encryption Desktop tray and choose Update Policy to force a policy update.

3. Check that the policy has been updated by opening the file %appdata%\PGP Corporation\PGP\PGPprefs.xml in WordPad and searching for the second occurrence of wdePreferredCipher.  You will see this for AES-256:

   <key>wdePreferredCipher</key>

      <integer>9</integer>

You will see this for AES-128:

   <key>wdePreferredCipher</key>

      <integer>7</integer>

4. Decrypt the disk using the Encryption Desktop user interface or, if decryption of internal disks is blocked by policy, use the pgpwde command line utility with, for example, the Disk Administrator passphrase.  On Windows x64 use:

"C:\Program Files\PGP Corporation\PGP Desktop\pgpwde" --decrypt --disk 0 --ap passphrase

On Windows x32 use:

"C:\Program Files\PGP Corporation\PGP Desktop\pgpwde" --decrypt --disk 0 --ap passphrase

5. Encrypt the disk using the Encryption Desktop user interface or, if policy is set to force encryption of the boot disk, simply log off Windows and back on again.