Symantec Endpoint Encryption permits offline managed clients to encrypt hard drives using Drive Encryption

book

Article ID: 162352

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption Drive Encryption permits managed clients that are disconnected from the Symantec Endpoint Encryption Management Server to encrypt hard drives.

No warning or error messages are displayed to the user.

Cause

Symantec Endpoint Encryption includes the ability to do "Connectionless" recovery using "Challenge Keys".

Resolution

If the Symantec Endpoint Encryption Management Server is unreachable at the time that a drive is encrypted, the encryption will still take place and pre-boot authentication will be required.

If the user forgets their pre-boot passphrase and presses F4 to enter a recovery token, they will see the Advanced Help Desk Recovery screen.

The typical recovery screen for systems that have connected will display the Computer Name, and a Sequence Number that can be provided to the SEE Helpdesk Admin.  The Helpdesk Admin will provide a Response Key that is entered on this screen.

 

If a client has **not** connected to the SEE Management Server or is "offline", this is okay--in this scenario a Challenge Key would then be used.  This is the "Connectionless" recovery.  To get to this screen, on the main Preboot Screen, Press F4, and then on this screen press "F5".  

This screen displays the Computer name, a Sequence Number and a Challenge Key. The Challenge Key comprises 32 characters split into two parts each comprising 16 characters. Each 16 character part is followed by a two character checksum in square brackets. The user provides the Help Desk with the Computer name, Sequence Number and both parts of the Challenge Key:

Advanced Help Desk Challenge Key

As you can see in the screenshot above, checksum values are displayed so that Helpdesk knows they typed this in properly.  In the example above, the first line is "TT" and the second line is "ZB".   

The Help Desk administrator opens the Help Desk Recovery Program from Symantec Endpoint Encryption Manager and enters the Computer name, Sequence Number and both parts of the Challenge Key.

The Help Desk administrator can confirm that they have entered both parts of the Challenge Key correctly by referring to the two character checksums which match what the user sees  (TT and ZB in this example):

Help Desk Recovery Challenge Key


The Help Desk Administrator is then provided with a Response Key that they give to the user. There is a two character checksum associated with the Response Key (LL in this example):

Help Desk Recovery Response Key

The user enters the Response Key and can confirm that it has been entered correctly using the two character checksum. The machine can then authenticate to pre-boot:

Advanced Help Desk Response

 

The Challenge Keys are longer than a normal response key, but these are needed only if the SEE Client has not ever communicated with the Symantec Endpoint Encryption Management Server.

Attachments