There is a scenario where the PGPWDE configuration for Symantec Encryption Desktop (SED) goes missing from dracut configuration file  /etc/dracut.conf and directory /usr/lib/dracut/modules.d after product upgrade.

These files are important for dracat to load pgpwde driver if dracut rebuilds initial boot ramdisk.

Reproduction step 

1. Install a fresh SED 10.4.2 (or above) client on RHEL 7.x
2. Take a backup of /etc/dracut.conf file and /usr/lib/dracut/modules.d/90pgpwde folder
3. Upgrade the SED client.
4. Notice /etc/dracut.conf file and /usr/lib/dracut/modules.d/ folder. The PGPWDE entries will be missing from dracut.conf and 90pgpwde folder will be missing from modules.d folder.

Root cause

It is  documented that %post will run before %preun (of older package) during rpm upgrade and we must use $1 variable to identify if this is upgrade, fresh install or uninstall but, we are not using it and as a result we are removing dracut configuration during upgrade.

Impact

• The PGPWDE driver will not be part of the initial ramdisk if for any reason the initial ramdisk gets rebuilt.
• If you run dracut --force and reboot system. You’ll see following error:

Open pgpwde driver status: : No such file or directory
PGPwde driver not available, encryption will not be possible.
Operation no operation failed:
Error code -11996: can't open file

• In this case an encrypted system will not boot
• After OS upgrade PGPWDE will not work as it usually recreates the initial ramdisk.

Workaround

• Create an entry in /etc/dracut.conf file and /usr/lib/dracut/modules.d/90pgpwde using the script provided at the end of this document.
• If PGPWDE is not getting loaded run “dracut --force”