Legacy PGP - Using the Encryption Desktop Recovery Disk to decrypt a drive
Article ID: 163334
Updated On:
Products
Issue/Introduction
If a machine fails to load Windows or Encryption Desktop Drive Encryption bootguard (pre-boot) fails to load, you will need to decrypt the drive.
The recommended method of recovering an encrypted drive is to create Windows 10 WinPE recovery media because it boots to a command prompt and allows you to run PGPwde.exe, the Drive Encryption command line tool. Using the command line tool you can, for example, authenticate to the drive and copy important files from it.
If you do not have access to the WinPE recovery media, you can create bootable USB media.
The Encryption Desktop Recovery Disk has the same functionality as the bootable USB media but it is extremely slow for decrypting a drive. The rate of decryption is approximately 9 GB per hour which means it will take about 28 hours to decrypt a 250 GB drive. Please therefore only use it to decrypt a drive as a last resort. The bootable USB media or Drive Encryption command line tool will decrypt a disk many times faster than the Recovery Disk.
The Recovery Disk can only be used on machines running legacy BIOS (not UEFI). To determine if you are using Legacy BIOS, run msinfo32 or click on Control Panel / System and Security / Administrative Tools / System Information. In System Summary, check that the value of BIOS Mode is Legacy.
The Recovery Disk allows you to do the following:
- Load bootguard.
- Authenticate.
- Either attempt to load Windows or decrypt the drive.
Note that if a machine can already load bootguard but you cannot authenticate, it is unlikely that the Recovery Disk will be of any help.
Environment
Symantec Encryption Desktop Drive Encryption 10.4 and above for Windows.
Resolution
To create the Recovery Disk simply locate the bootg.iso file on a machine that is running the same release of Encryption Desktop as the machine that has problems and burn the ISO to optical media. In Windows 10, do this by right clicking on the file and choosing Burn disc image.
- If the system with problems is 64-bit, the file is "C:\Program Files (x86)\PGP Corporation\PGP Desktop\bootg.iso".
- If the system with problems is 32-bit, the file is "C:\Program Files\PGP Corporation\PGP Desktop\bootg.iso".
To use the Recovery Disk, please do the following:
- Insert the disc into your system.
- Access your system's boot option menu (usually by pressing F9, F10, or F12 immediately after powering up Windows, but consult the user guide of your PC for more details).
- Select the optical drive from the boot option menu to boot from the Recovery Disk.
- The initial screen states PGP Recovery Disk. Press any key to continue.
- At the bootguard screen you must authenticate. You can use a user's passphrase, a disk administrator passphrase or a WDRT (Whole Disk Recovery Token). Note that the US English keyboard is loaded by default. It can be changed by navigating to the Keyboard option and selecting a different keyboard.
- Providing that the drive encryption record can be found or recovered, you have the option of pressing the D key to immediately start the decryption process or any other key to load Windows.
- If Windows loads successfully, you can copy important files from the machine prior to rebooting and starting the decryption process.
This is the Recovery Disk screen after successful authentication:
Additional Information
If you do not have access to a machine that is running the same release of Encryption Desktop as the machine that has problems, the Recovery Disk ISO files for release 10.4 and above are attached to this article.
Symantec Encryption Desktop releases prior to 10.4.2 have reached their End of Service date. However, the Recovery Disk ISO files for release 10.3.2 are available here.
Attachments
Feedback
