HOWTO: Encrypt Fixed Secondary Disks Using PGPWDE Command Line with Symantec Encryption Desktop with no user intervention

book

Article ID: 178774

calendar_today

Updated On:

Products

Drive Encryption Endpoint Encryption

Issue/Introduction

 

Resolution

There may be scenarios where the fixed primary disk is encrypted, but the fixed secondary disk is not and needs to encrypted for security compliance.  One scenario may be replacing a CD drive in the drive bay with a hard drive.  Another scenario could be installing an additional fixed disk where the main boot disks encrypted, and the secondary fixed disk is not encrypted.

Requirements:

  • Primary disk *is* encrypted
  • Secondary disk *is not* encrypted
  • Secondary disk must be encrypted with no user intervention.
  • WDE-Admin Security Group must be used.

In order to encrypt these secondary fixed disks with no user intervention, the PGPwde command line utility can be used to perform this operation.  Scripting and third-party utilities can be used in conjunction with these PGPwde commands, however these options are outside the scope of Symantec Support.

One requirement to encrypting these internal disks is to first add a generic passphrase user to the primary disk (Disk 0), which clones all existing users on the primary fixed disk to the secondary fixed disk (Disk 1) for encryption and allows for proper grouping that enables the secondary disk to be unlocked by the same user as the primary disk.  This generic passphrase user can then be removed once encryption has started to avoid any security concerns.


Step 1 - Add the Generic Passphrase User to Disk 0. 
pgpwde --add-user --disk 0 -u "encrypt" -p "[email protected]" --aa

The example above adds a user called "encrypt", and a passphrase of "[email protected]" to Disk 0:

Step 2 - Encrypt Disk 1:
pgpwde --secure --disk 1  --username "encrypt" --passphrase "[email protected]"

The above command clones the users from Disk 0 to Disk 1.

Step 3 - List all users currently on Disk 1:
pgpwde --list-user --disk 1

All users from Disk 0 should now be added to Disk 1

Step 4 - Remove the Generic Passphrase User from Disk 0 and Disk 1:
pgpwde --remove-user --disk 0 -u "encrypt" -p "[email protected]" --aa

The above command can be run once users are cloned to Disk 1, and encryption has started.  It is not necessary to wait for the encryption to finish to remove this user.

Step 5 - Verify the Generic Passphrase User was removed:
pgpwde --verify-user --disk 1 -u "encrypt" -p "[email protected]"

Confirmation that the generic passphrase user "encrypt" user removed will result in "Match not found" on "Operation verify user authentication failed"

The PGPwde.exe executable is located in the following directory:

C:\Program Files (x86)\PGP Corporation\PGP Desktop

Note: The --secure option works on drives that have never been instrumented or encrypted by Symantec Drive Encryption.  If any secondary fixed disks are partially encrypted, a full decryption will be need to be performed before the above steps will succeed and users from Disk 0 are cloned to Disk 1 (use --decrypt to completely decrypt drives).


The above steps incorporate the use of the "--aa" option, which is the short version of "--admin-authorization", which requires the use of a security group called "WDE-Admin". 
 

Additional Notes for the WDE-Admin Security Group required for the steps above:
Any member of the WDE-ADMIN Active Directory group can remotely access a system to add or remove users from Symantec Drive Encryption, encrypt or decrypt a drive, and so on, using the Symantec Drive Encryption command-line tool. These administrative functions can be performed without having to request the user's passphrase. Using Active Directory, create a new Administrator Group called WDE-ADMIN. Add members to this group who are authorized to remotely access users' systems to perform Symantec Drive Encryption maintenance tasks. WDE-ADMIN is a security group, not a distribution group. The encrypted drive and Active Directory must both be running for you to use this function.
 

Creating an Active Directory group for WDE-ADMIN allows you to:

  • Log in remotely to perform Symantec Drive Encryption maintenance tasks (using the pgpwde command line).
  • Use SMS or other tools to perform Symantec Drive Encryption maintenance.
  • Use pgpwde to perform Active Directory authentication to ensure only authorized administrators can access users' systems. (Note that the system must be connected to the network and Active Directory must be running.)


--admin-authorization (--aa is the shorthand version of this command)
Specifies that the operation is authorized ed by a member of the WDE-ADMIN Active Directory group. In other words, by an administrator of Symantec Drive Encryption clients in a Symantec Encryption Management Server-managed environment. This option applies only to Windows installations. No passphrase is required on the command line when using this option. Instead, the administrator will be authenticated against the WDE-ADMIN group when the option is used.

For more information on WDE-Admin, see the Symantec Encryption Management Server Administrator's Guide, and the PGPwde Command Line User's Guide.

To identify all drives on a system, use the following command:
pgpwde --enum

To list the status of drives, use the following command:
pgpwde --status --disk 0

 

Note: The main purpose for following the steps above to encrypt secondary fixed disks is Symantec Encryption Desktop is not designed to force the encryption on fixed secondary hard drives, even if the primary fixed disk is encrypted.  Although Symantec Drive Encryption (formerly known as PGP Drive Encryption) does not automatically encrypt secondary fixed drives, Symantec Endpoint Encryption 11.1 (which includes PGP technology) includes functionality which *does* provide forced encryption of all drives on a computer.  Symantec Endpoint Encryption 11.1 provides an in-place upgrade which upgrades to Symantec Endpoint Encryption 11.1 over Symantec Drive Encryption 10.3.2 MP4 and later without the need to decrypt (See DOC9135 for more details on upgrading).

 

Additional References:
PGP Whole Disk Encryption Command Line User's Guide

Symantec Encryption Management Server 3.3.2 Administrator's Guide

PGP WDE Command-line Tool Guide