The PGP Whole Disk Encryption solution (PGP WDE) allows for PGP Administrator Keys as well as PGP Admin Keys to perform PGP WDE maintenance on a disk when regular passphrase users are not allowed to perform these operations.
This article describes how to use the PGP WDE Admin Passphrase functionality with PGP WDE.
In order to have the PGP WDE Admin Passphrase user be added to a PGP Disk, the WDE Admin Passphrase must be configured in the Consumer Policy on PGP Universal Server, Disk Encryption. The option to be configured is called “Encrypt WDE disks to a Disk Administrator Passphrase”.
If this passphrase entered as the WDE Admin Passphrase is forgotten, simply click the Change button and set a new Admin Passphrase. Once the clients update policy, the new Administrator Passphrase will be added to the PGP WDE Disk.
The WDE Admin Passphrase user is added to the disk once the disk starts encryption or if the PGP WDE client updates policy when this has been added to policy.
Once this Admin Passphrase has been added to the PGP WDE Disk, then certain PGP WDE operations can be executed by using the PGP WDE Admin Passphrase.
Finding the disk number to use on PGP WDE Disks:
pgpwde --enum
Disk 0 is typically the Boot Disk and higher disk numbers will be additional disks attached to the system
Adding users:
pgpwde --add-user -u “username here” -p “passphrase here” --disk X --aa --admin-passphrase “WDE Admin Passphrase here”
Removing users:
pgpwde --remove-user -u “username of user to remove here” --disk X --aa --passphrase “WDE Admin Passphrase here”
TIP: If the username is not known, use the “--list-user” command
Listing all users of a disk:
pgpwde --list-user --disk X --aa
Listing the Status of a disk:
pgpwde --status --disk X --aa
Decrypting a disk:
pgpwde --decrypt --disk X --aa --passphrase “WDE Admin Passphrase here”
Pausing encryption or decryption of a disk:
pgpwde --stop --disk X --aa --passphrase
Resuming the encryption or decryption of a disk after it has been paused:
pgpwde --resume --disk X --aa –passphrase
NOTE: It is not possible to start encryption of a disk, because the PGP WDE Admin Passphrase user is not yet added to the disk. This user must first be added to the disk in order to authenticate the commands above.
In order to be able to do all of the above commands in addition to Encryption commands, please use the WDE-ADMIN user. For more information about the WDE-ADMIN group, please consult the PGP Encryption Server Administrator’s Guide