PGP Encryption Desktop (Symantec Encryption Desktop) Drive Encryption will not allow a user to decrypt their disk
search cancel

PGP Encryption Desktop (Symantec Encryption Desktop) Drive Encryption will not allow a user to decrypt their disk

book

Article ID: 161545

calendar_today

Updated On:

Products

Drive Encryption Encryption Management Server Desktop Email Encryption Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Encryption Suite PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

PGP Encryption Desktop (Symantec Encryption Desktop) will not allow a user to decrypt an internal disk after clicking on the Decrypt button.

It also prevents decryption if a user presses the Stop button while a disk is being encrypted and then chooses to Decrypt from the dialog that follows.

The user sees this error message:

Unable to decrypt: Not permitted by your Administrator (-12198)

 

Environment

  • PGP Encryption Desktop 10.4.2 and above.
  • PGP Encryption Server 3.4.2 and above (Symantec Encryption Management Server).

Cause

The PGP Encryption Desktop user belongs to an PGP Encryption Server policy that does not permit users to decrypt their internal disks. Usually, administrators do not allow end users to decrypt their disks.

Resolution

Use the Disk Administrator Passphrase or admin authorization to decrypt the disk.

1. Decrypting with the Disk Administrator Passphrase

If the user's policy has a Disk Administrator Passphrase set, this passphrase can be used to decrypt the disk. Click on the Decrypt button and when prompted for a passphrase, enter the Disk Administrator Passphrase and decryption will begin.

2. Decrypting with Admin Authorization

Users who belong to a specific Active Directory security group called WDE-ADMIN can use Admin Authorization with the PGPwde.exe, the Drive Encryption command line tool, to decrypt the drive.

PGPwde is located in the following location on 32-bit and 64-bit Windows systems respectively:

  • "C:\Program Files\PGP Corporation\PGP Desktop"
  • "C:\Program Files (x86)\PGP Corporation\PGP Desktop"

If the logged in user is not a member of the WDE-ADMIN group, the PGPwde command can be run as a user who is a member of the group.

To run the command if the logged in user is a member of the WDE-ADMIN group (on a 64 bit system):

C:\>"\Program Files (x86)\PGP Corporation\PGP Desktop\PGPwde" -d 0 --decrypt --aa

Request sent to Start decrypt disk was successful

To run the command if the logged in user is not a member of the WDE-ADMIN group but the account exampledomain\aauser is a member (on a 64 bit system):

C:\>runas /noprofile /user:exampledomain\aauser "\Program Files (x86)\PGP Corporation\PGP Desktop\PGPwde -d 0 --decrypt --aa"

Request sent to Start decrypt disk was successful