How to change the PGP Whole Disk Passphrase via Terminal for Mac OS

book

Article ID: 154400

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

This article explains how to change a PGP Whole Disk passphrase via Terminal for Mac OS X.

 

Resolution

To change the passphrase to a PGP Whole Disk Encryption user:

 

Option 1 - Change the passphrase of a user when existing passphrase is known:

Step 1 - Run the following command:

 

pgpwde --list-user --disk x  (where x is the disk number in question.  Typically the boot disk is disk 0)

 

Make note of the Name of the user, as well as if the user has a "domain" associated to the user.  If there is no domain listed, the --domain argument is not needed in any further commands.  If there is a domain, the --domain argument will be necessary, followed by the domain listed in quotes.  For Mac systems, the domain field is typically the hostname of the Mac computer.

 

CAUTION: If a system hostname has special characters in it, such as "Bob's MacBook Pro", for DNS, the apostrophe character is removed as this is an unsupported character, however the pgpwde utility will convert this into a character that may not be possible to be typed via Terminal as it may be using a form of unicode characters.  If this is the case, copy and paste the domain name into the command using command+c (copy), and command+v (paste).  This should allow the command to complete successfully.

 

Step 2 - Type the following command all as one command:

 

pgpwde --change-passphrase --disk 0 -u "username here" --passphrase "old passphrase" --new-passphrase "new passphrase"

 

If the user's passphrase is unknown, but an Admin passphrase is know, enter the Admin passphrase when prompted.

 

NOTE: The --interactive option can be used to prevent the passphrase from being logged in the history of terminal:

pgpwde --change-passphrase --disk 0 -u "username here" --interactive

The user is prompted to "Enter New Passphrase"  --> Type the new passphrase here.

 
The user is then prompted to  "Enter Passphrase"  This is where you would enter the existing passphrase.

 
The user is then prompted to "Enter Admin Passphrase" enter the passphrase from the previous step again.

This should change the passphrase.

If there is a domain for the user, add it to the command as can be seen in the following example:

 

pgpwde --change-passphrase --disk 0 -u "username here" --domain "domain here" --interactive

 

Option 2 - Change the passphrase of a user with a Whole Disk Recovery Token:

 

If the existing passphrase is not known, and a Whole Disk Recovery Token (WDRT) is available, the following syntax would be used:

 

Step 1 - Run the following command:

 

pgpwde --change-passphrase --disk 0 -u "username here" --domain "domain Here" --new-passphrase "passphrase-here" --recovery-token WDRT-HERE

 

To prevent the passphrase from being captured in the Terminal history, run this with the following syntax:

 

pgpwde --change-passphrase --disk 0 -u "username here" --domain "domain Here" --disk 0 --interactive

When prompted to "Enter passphrase", just press enter to skip to the "Enter Admin passphrase" prompt.  Enter the WDRT here.

No text is seen when entering the passphrase here, so it may be difficult or take multiple attempts to successfully change the passphrase of an existing user with a WDRT.

TIP: When entering the WDRT, it is possible to enter the string with or without the dashes.

 

WDRT Example:

AAAAA-11111-BBBBB-22222-CCCCC-333

NOTE: When using WDRTs, as soon as the client is able to communicate with the server, a new WDRT will be sent to the server, even if the previous command did not perform what was intended.  In other words, it may be necessary in testing to check the server to ensure the WDRT that is being used, is still valid and can be used to authenticate.

 

TIP:  Starting with 10.3.0 MP3 (Build 9307), using a WDRT via the UI will allow a user to change his/her passphrase.  This was not possible with previous versions (etrack 3146228).  To do so, follow these steps:

 

1. Open Symantec Encryption Desktop.

2. Click on the encrypted drive under "PGP Disk", the users will be displayed.

3. Right-click (ctrl+click) on the user which passphrase needs to be changed, and click "Change User Passphrase...".

4. In the passphrase prompt field, enter the WDRT for the user's disk and click OK.

5. The "Create New Whole Disk User" prompt will appear.  Enter a new passphrase for the user and click "OK".  This will change the passphrase of the existing user.