Symantec Enterprise Division provides two encryption technologies to cover many scenarios and in one area where these two technologies overlap is Drive Encryption. Both the Symantec Encryption Desktop (PGP) and Symantec Endpoint Encryption (SEE) provide Drive Encryption and offer a Preboot Authentication (PBA) screen, meaning before a system will boot up, a passphrase must be entered successfully. Symantec Endpoint Encryption (SEE) is machine based, where Symantec Encryption Desktop (PGP) is user based.
Symantec Endpoint Encryption (SEE) offers "Connectionless" recovery, meaning even if the client never communicates with the server, a recovery key must be present.
Symantec Encryption Desktop (PGP) being user based requires a connection to the server for initial enrollment and recovery keys.
For a comprehensive list of all the product differences between SEE and PGP, see the following article:
If Drive Encryption is the only component being used, and you would like a "machine-based" experience, rather than a "user-based" experience, you can consider migrating from the PGP client to the SEE Client. This article will go over the steps needed to do this migration, which is very easy and straightforward.
Important Note: If you are upgrading from PGP 10.4 to SEE 11.4, follow this document for further guidance.
If you are currently on PGP 10.5.1 and would like to upgrade to SEE 11.4, please reach out to Symantec Encryption Support for further guidance and mention this article.
TIP: See the attached article for a downloadable version of this KB.
The following considerations should be reviewed before you can migrate from PGP to SEE for Drive Encryption:
*Symantec Encryption Desktop 10.3.2 MP4 or above is installed.*Removable Drives, such as USB drives are not migrated from PGP to SEE. If you are using PGP to encrypt USB drives, SEE has a similar feature called SEE Removable Media Encryption.
Decrypt your USB drives if you still need to access them. The USB drive can be reencrypted with SEE RME (Or access the PGP-encrypted USB drive from a PGP machine)
*PGP Email Encryption, File Share Encryption, PGP Virtual Disk, PGP Shredder, PGPViewer, and PGPZip will remain installed on the machine post migration to SEE.
*PGP Drive Encryption users are not preserved. Once the migration occurs, have the users login to their Windows profile and wait at least 15 minutes for the automatic user registration to take place.
The machine can then be rebooted, and Authentication will then take place at the PBA.
*Post migration, the Drive is not reencrypted. The new SEE client will be able to seamlessly read the encrypted sectors going forward.
If, for some reason you would like to reencrypt the drive there is a reencrypt command available.
Refer to the SEE Upgrade Guide for detailed information on the migration from PGP to SEE.
To migrate from PGP to SEE for Drive Encryption, simply install the SEE Client MSI on the PGP-encrypted machine.
Once the installation is finished, reboot the system
The SEE client performs a "Pending Reboot" check on the system, such as if a Windows update was applied and has not yet been rebooted. For more information on this Pending Reboot functionality, see the following article:
User Experience Information During the Migration from PGP to SEE for Drive Encryption
When a user has the PGP Desktop client installed, you will see the following available in their client:
As shown in the screenshot above, you will notice the "PGP Disk" has "Encrypt Disk" on the left side of the shelf.
Next, you will notice the "User Access" list has a user called "nonadmin" for this scenario. This is the current registered user on the disk.
When the "nonadmin" user reboots the machine, the normal PGP Preboot screen will be displayed. Once the "nonadmin" user enters the credentials, the system will boot up.
In addition to the above, when you run the list-user command as shown in the following screenshot, the "nonadmin" can be seen displayed as "User 1":
Once the SEE Client is installed on this system encrypted with PGP Drive Encryption, the migration process will remove the existing users.
In this scenario, the user "nonadmin" will be removed, so the following will be observed when running the same list-user command:
In addition to the user being removed, if you open the PGP Desktop client UI, you'll also notice the "Encrypt Disk" is removed from the shelf:
As shown in the above screenshot, the only option under PGP Disk is "New Virtual Disk".
If you go to the start menu and look for Symantec, you'll now have "Symantec Endpoint Encryption with the following options shown in the screenshot below:
At this stage of the migration, the Symantec Endpoint Encryption client has been installed, but the system has not yet been rebooted.
Because the migration from PGP to SEE is seamless, you can now run a list-user command with Symantec Endpoint Encryption and you will see that the "nonadmin" user is not added:
eedadmincli.exe --list-user --au "admin-username-here"
This will prompt for the SEE Client Admin Credentials.
Symantec Endpoint Encryption is now engaged and once the reboot happens, the "nonadmin" user will be automatically registered.
Until a user is registered, there will be no preboot screen when the system reboots.
Notice there is a user "AutoEncrypt". This user automatically authenticates the disk at preboot, which is why no preboot screen is displayed.
The machine is still fully encrypted, but the AutoEncrypt user takes care of this until someone registers on the system.
At this stage, the machine is rebooted, and then the "nonadmin" user logs in to the windows profile.
When "nonadmin" logs in, the user is then automatically registered. This happens invisibly to the end user and no prompts appear.
There is no "enrollment" screen that shows up and everything is taken care of behind the scenes, but we recommend waiting 15 minutes for this to happen.
Once the user is registered, you'll see them listed now:
When the "nonadmin" user reboots the machine, they will be presented with the preboot screen again, which they can now authenticate based on policy configuration:
From the start menu, open the Symantec Endpoint Encryption and click on the "SEE Client Administrator" application.
Once prompted, enter the credentials and the following screen will be displayed (This is available only to SEE Client Administrators and non-admin users will not see this screen):
As you can see in the above screenshot, the "nonadmin" user was automatically registered. Next, click on the "Internal Drives" tab to see the encryption status:
This entire process was done seamlessly and without any end user interaction, other than logging in to their profile post migration.
For Debug installation parameters, see the following article:
Scenario 1: Moving SEE Client from Old SEE Management Server to New SEE Management Server
163292 - Migrating from one SEE Management Server to another (Completely new SEE Database)
Scenario 2: (Moving from PGP client/sever to SEE client/server)
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)
Scenario 3: Moving SEE Clients from the same database to another SEE Management Server with the same Database
154122 - How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server
Scenario 4: Moving same SEE database from one DB instance to another
152340 - How to move the SEE-MS SQL database from one server/instance to another
Scenario 5: Update which hostname the SEE Clients use for communications (Keeping same database)
249333 - Changing Web Access for SEE Clients on Symantec Encryption Management Server