Encryption Desktop Drive Encryption will not allow a user to decrypt their disk

book

Article ID: 161545

calendar_today

Updated On:

Products

Drive Encryption Encryption Management Server Drive Encryption Powered by PGP Technology Encryption Management Server Powered by PGP Technology

Issue/Introduction

Encryption Desktop will not allow a user to decrypt an internal disk after clicking on the Decrypt button.

It also prevents decryption if a user presses the Stop button while a disk is being encrypted and then chooses to Decrypt from the dialog that follows.

The user sees this error message:

Unable to decrypt: Not permitted by your Administrator (-12198)

Cause

The Encryption Desktop user belongs to an Encryption Management Server policy that does not permit users to decrypt their internal disks. Usually, administrators do not allow end users to decrypt their disks.

Environment

  • Symantec Encryption Desktop 10.4.2 and above.
  • Symantec Encryption Management Server 3.4.2 and above.

Resolution

Use the Disk Administrator Passphrase or admin authorization to decrypt the disk.

1. Decrypting with the Disk Administrator Passphrase

If the user's policy has a Disk Administrator Passphrase set, this passphrase can be used to decrypt the disk. Click on the Decrypt button and when prompted for a passphrase, enter the Disk Administrator Passphrase and decryption will begin.

2. Decrypting with Admin Authorization

Users who belong to a specific Active Directory security group called WDE-ADMIN can use Admin Authorization with the PGPwde.exe, the Drive Encryption command line tool, to decrypt the drive.

PGPwde is located in the following location on 32-bit and 64-bit Windows systems respectively:

  • "C:\Program Files\PGP Corporation\PGP Desktop"
  • "C:\Program Files (x86)\PGP Corporation\PGP Desktop"

If the logged in user is not a member of the WDE-ADMIN group, the PGPwde command can be run as a user who is a member of the group.

To run the command if the logged in user is a member of the WDE-ADMIN group (on a 64 bit system):

C:\>"\Program Files (x86)\PGP Corporation\PGP Desktop\PGPwde" -d 0 --decrypt --aa

Request sent to Start decrypt disk was successful

To run the command if the logged in user is not a member of the WDE-ADMIN group but the account windomain\aauser is a member (on a 64 bit system):

C:\>runas /noprofile /user:windomain\aauser "\Program Files (x86)\PGP Corporation\PGP Desktop\PGPwde -d 0 --decrypt --aa"

Request sent to Start decrypt disk was successful

 

Attachments