Creating and using bootable USB media to decrypt a drive

book

Article ID: 181479

calendar_today

Updated On:

Products

Drive Encryption Drive Encryption Powered by PGP Technology Encryption Desktop Powered by PGP Technology

Issue/Introduction

If a machine encrypted with Encryption Desktop Drive encryption has these symptoms, the drive will need decrypting:

  • It fails to load bootguard (pre-boot).
  • After successfully authenticating at bootguard, it fails to load Windows.

The recommended method of recovering an encrypted drive is to create Windows 10 WinPE recovery media because it boots to a command prompt and allows you to run PGPwde.exe, the Drive Encryption command line tool. Using the command line tool you can, for example, authenticate to the drive and copy important files from it.

If you do not have access to the WinPE recovery media, you can quickly create bootable USB media which will allow you to do the following:

  1. Load bootguard.
  2. Authenticate.
  3. Either attempt to load Windows or decrypt the drive.

Note that if a machine can already load bootguard but you cannot authenticate, it is unlikely that the bootable USB media will be of any help.

Environment

  • Symantec Encryption Desktop Drive Encryption 10.4.2 and above.
  • Windows 10 or Windows 8.1.

Resolution

To create the bootable USB media please do the following on a machine that is running the same release of Encryption Desktop as the machine that has problems:

  1. Format a USB drive with a capacity of at least 1 GB using the FAT32 file system.
  2. In the root folder of the USB drive, create a folder named EFI.
  3. In the EFI folder, create a folder named Boot.
  4. If the system with problems is 64-bit, copy the following two files to the \EFI\Boot folder on the USB drive:
    • "C:\Program Files (x86)\PGP Corporation\PGP Desktop\bootx64.efi"
    • "C:\Program Files (x86)\PGP Corporation\PGP Desktop\pgpcontents.tar"
  5. If the system with problems is 32-bit, copy the following two files to the \EFI\Boot folder on the USB drive:
    • "C:\Program Files\PGP Corporation\PGP Desktop\bootia32.efi"
    • "C:\Program Files\PGP Corporation\PGP Desktop\pgpcontents.tar"

 

To use the USB drive

  1. Insert the USB drive into your system.
  2. Access your system's boot option menu (usually by pressing F9, F10, or F12 immediately after powering up Windows, but consult the user guide of your PC for more details).
  3. Select the USB drive (or, on some systems, select the \EFI\Boot\bootx64.efi file on the USB drive) from the boot option menu to boot the recovery USB drive.
  4. At the bootguard screen you must authenticate. You can use a user's passphrase, a disk administrator passphrase or press F4 to use a WDRT (Whole Disk Recovery Token). Note that the US English keyboard is loaded by default. It can be changed by pressing F2.
  5. Providing that the drive encryption record can be found or recovered, you have the option of pressing the D key to immediately start the decryption process or any other key to attempt to load Windows.
  6. If Windows loads successfully, you can copy important files from the machine prior to rebooting and starting the decryption process.

This is the bootguard screen:

 

This is the screen you see after authenticating:

Additional Information

The bootia32.efi, bootx64.efi and pgpcontents.tar files for release 10.5 are available here, the files for various 10.4.x releases are available here and the files for release 10.3.2 are available here.

Note that Symantec Encryption Desktop releases prior to 10.4.2 have reached their End of Service date.

Attachments