search cancel

Encryption Desktop prompts for credentials in order to access a secondary drive

book

Article ID: 162628

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

On a machine with two drives, both of which are encrypted with Encryption Desktop drive encryption, you are prompted for credentials in order to access the secondary drive.

Cause

The boot drive and the secondary drive are in different Disk Groups and therefore have separate passphrase users associated with them.

One reason this will occur is if the secondary drive is detected by Encryption Desktop as Removable Media rather than a Fixed Disk.

Environment

Symantec Encryption Desktop 10.3.2 MP13 and above.

Resolution

Check whether Encryption Desktop has classified the secondary drive as Removable Media and/or whether the secondary drive is in a different Disk Group to the boot drive:

  1. Open Encryption Desktop.
  2. Click on PGP Disk from the left menu.
  3. Click on Encrypt Disk or Partition.
  4. The drives are listed under Select disk or partition to encrypt.
  5. Drives are described as either Fixed Disk or Removable Media.
  6. Click on the boot drive and note the list of users in the User Access section.
  7. Click on the secondary drive. If the list of users in the User Access section is different to those listed for the boot drive then the secondary drive is in a different Disk Group.

Before the secondary drive can be added to the same Disk Group as the boot drive, it needs to be decrypted. Click on the drive and then click on the Decrypt button. You will be prompted for the passphrase of one of the users in the User Access list of the secondary disk. Note that the account will need appropriate permissions to decrypt the drive. These permissions are set in Consumer Policy in Encryption Management Server for managed clients.

After the secondary drive is decrypted, it is worth investigating whether Windows can be configured to treat the drive as fixed rather than removable. See the suggestions in this article for example.

If the secondary drive is detected as a Fixed Disk by Encryption Desktop, when you encrypt it you will need only supply a valid user passphrase for the boot drive. The secondary drive will automatically be added to the same Disk Group as the boot drive and the same users will have access to it.

If Encryption Desktop still detects the secondary drive as removable, you will need to add it to the same Disk Group as the boot drive before you encrypt. To do this:

  1. Open a command prompt.
  2. Change directory to "C:\Program Files (x86)\PGP Corporation\PGP Desktop" on a 64-bit system or "C:\Program Files\PGP Corporation\PGP Desktop" on a 32-bit system.
  3. List the disks and display the Disk Group UUID. The boot drive will be shown as a Managed disk and the secondary drive as an Unmanaged disk. The boot drive will be Disk 0 and the secondary drive will usually be Disk 1:
    pgpwde --enum
  4. Add the secondary drive to the Disk Group of disk 0. You will be prompted for the passphrase of a user with permissions to do this:
    pgpwde --add-disk --base 0 --disk 1 --interactive
  5. Confirm that both disks are in the same Disk Group:
    pgpwde --enum
  6. If you examine the drive in Encryption Desktop you will notice that the same list of passphrase users that are associated with the boot drive are now associated with the secondary drive. Note that you may need to close Encryption Desktop and open it again to refresh the user list.
  7. Encrypt the secondary drive using Encryption Desktop or use pgpwde:
    pgpwde --encrypt -d 1 --interactive