密碼變更後 boot-guard的密碼都還是舊的

這與變更密碼的方式有關
請參考以下網頁說明,請透過 Ctrl + Alt + Del 來變更密碼,這樣才能立即同步
Symantec – Changing Your Windows Password with PGP WDE With Single Sign-On
https://support.symantec.com/en_US/article.HOWTO79569.html

Description
To synchronize your Windows password changes with PGP Whole Disk Encryption (PGP WDE), you must change your password for Single Sign-On using the Change Password feature in the Windows Security dialog box, which you access by pressing Ctrl+Alt+Del.
Note: You may also change your password when prompted by Windows that your password will expire during logging in.
To change your passphrase
1.  Press Ctrl+Alt+Delete.
2. Type your old password.
3. Type and confirm your new password.
4. Click OK.
Single Sign-On automatically and transparently synchronizes with this new password with your PGP WDE passphrase. You can use the new password immediately, in your next login attempt.

Caution: If you change your password in any other manner—via Domain Controller, the Windows Control Panel, via the system administrator, or from another system—your next login attempt on the PGP BootGuard screen will fail. You must then supply your old Windows password. Successful login on the PGP BootGuard screen using your old Windows password then brings up the Windows Login username/password screen. You must then log in successfully using

P.S.

Symantec – How to change-update the SSO passphrase over the PGP WDE command line, if it has not synched with the PGP Bootguard.

https://support.symantec.com/en_US/article.TECH149263.html

If your Windows password has not synchronized with your PGP BootGuard passphrase, you can synchronize your new Windows password with the PGP BootGuard passphrase using the pgpwde tool.

To use the pgpwde tool:

Windows XP

  1. Click Start>Run.
  2. Type cmd in the Open field and click OK.
  3. Change to the Program Files\PGP Corporation\PGP Desktop directory.
    • Type the following at the command prompt (non-domain):
      pgpwde –change-passphrase –disk 0 –user username –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
    • Type the following at the command prompt (domain):
      pgpwde –change-passphrase –disk 0 –user username –domain ‘domainname’ –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
  4. Press Enter.

Windows Vista & Windows 7 32-bit

  1. Click Start>Run.
  2. Type cmd in the Start Search field.
  3. Click cmd from the list of Programs.
  4. Change to the Program Files\PGP Corporation\PGP Desktop directory.
    • Type the following at the command prompt (non-domain):
      pgpwde –change-passphrase –disk 0 –user username –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
    • Type the following at the command prompt (domain):
      pgpwde –change-passphrase –disk 0 –user username –domain ‘domainname’ –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
  5. Press Enter.

Windows Vista & Windows 7 64-bit

  1. Click Start>Run.
  2. Type cmd in the Start Search field.
  3. Click cmd from the list of Programs.
  4. Change to the Program Files (x86)\PGP Corporation\PGP Desktop directory.
    • Type the following at the command prompt (non-domain):
      pgpwde –change-passphrase –disk 0 –user username –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
    • Type the following at the command prompt (domain):
      pgpwde –change-passphrase –disk 0 –user username –domain ‘domainname’ –passphrase ‘yourpassphrase’ –new-passphrase ‘yournewpassphrase’
  5. Press Enter.

Your PGP WDE passphrase is synchronized with your new Windows password.

PGP 憑證過期

1.登入 PGP 主控台,【System】→【Network】→【Certificates】

clip_image001

2.【Add Certificates】

clip_image002

3.輸入憑證相關資訊 ( Expiration 請下拉選擇 5 年 ) 並按下【Generate Self-signed】

clip_image003

4.這是新增的憑證

clip_image004

5.回到 【System】→【Network】→【Assigned Certificate】,下拉選擇到期日最久的憑證,並按下【Save】

clip_image005

6.PGP 正重啟以套用變更

image

7.重新登入即可

image

8.之後用戶端會出現以下畫面,請按下【Always Allow for This Site】

image

透過 PGP command 來解密硬碟

透過 PGP加密過的硬碟因故無法開機,接到另一台裝有 PGP 的機器時,可進行以下操作:

登入後會要求輸入 passphrase,若發現怎麼輸入都不行

請登出電腦,再使用另外那位故無法開機使用者的帳號與密碼登入,登入後會要求輸入 passphrase,這時候輸入密碼就OK了

若仍有問題,請嘗試以下的 command 來解密

1. 命令提示字元,切換至以下路徑

Windows XP: C:\Program Files\PGP Corporation\PGP Desktop

Windows Vista/Windows 7: C:\Program Files\PGP Corporation\PGP Desktop

Windows Vista/Windows 7 (64-bit): C:\Program Files (x86)\PGP Corporation\PGP Desktop

2. pgpwde –enum 來列舉機器上的硬碟,通常後來接的硬碟是 Disk 1 ( 是兩個- )

clip_image001

3. pgpwde –list-user –disk 1 來列舉機器上的加密硬碟的使用者 ( 通常後來接的硬碟是 Disk 1 ) ( 是兩個- ) ( -user是一個- )

clip_image002

4. pgpwde –status –disk 1 來查看硬碟的加密狀態 ( 通常後來接的硬碟是 Disk 1) ( 是兩個- )

clip_image003

※ pgpwde –status –disk 1 來查看硬碟的加密狀態 ( 此例為 Disk 1 尚未通過 passphase 驗證) ( 是兩個- )

clip_image004

5. 如果狀態顯示硬碟正在加密中或加密到一半,請透過 pgp –stop –p passw0rd –disk 1停止加密程序 ( 是兩個- ) ( -p是一個- ) ( 這樣才能透過下一步驟的指令來解密硬碟 )

clip_image005

6. 如果持續無法在 UI 上通過 passphrase驗證,請以 pgp –decrypt –p p@ssw0rd –disk 1進行解密 ( 是兩個- ) ( -p是一個- ) p@ssw0rd 是密碼 (任何一個人的密碼都可以,如果有 WDE admin 的密碼就先用)

clip_image006

上方指令執行成功後,會發現已在進行解密

clip_image007

1.【如何確認 PGP 硬碟加密目前是採用 DES-128 或 DES-256】2. 【若將 PGP 硬碟加密政策由目前的 DES-256 改為 DES-128,該硬碟是否需先行解密後再進行加密】

【如何確認 PGP 硬碟加密目前是採用 DES-128 或 DES-256】

【若將 PGP 硬碟加密政策由目前的 DES-256 改為 DES-128,該硬碟是否需先行解密後再進行加密】

以上問題可參考官網 https://support.symantec.com/en_US/article.TECH224377.html

【如何確認 PGP 硬碟加密目前是採用 DES-128 或 DES-256】

請參考下圖於用戶端執行以下指令:

【64 位元電腦請切換至以下目錄】

C:\Program Files (x86)\PGP Corporation\PGP Desktop

【32 位元電腦請切換至以下目錄】

C:\Program Files\PGP Corporation\PGP Desktop

再執行

pgpwde –status –disk 0 –xml |find “alg”

※ for Mac → 執行 pgpwde –status –disk 0 –xml

image

在輸出的結果中,找到以下數值,若 alg=”9” 則該硬碟採用 DES-256 加密,若 alg=”7” 則該硬碟採用 DES-128 加密

<currentkey valid=”true” alg=”9”>

clip_image001

【若將 PGP 硬碟加密政策由目前的 DES-256 改為 DES-128,該硬碟是否需先行解密後再進行加密】

是的,請參考下方程序

clip_image002

clip_image003

Unable to Encrypt Mac Systems on MAC Yosemite with Symantec Encryption Desktop 10.3.2 with error 116385 when Microsoft Office 2011 has been installed prior to Symantec Drive Encryption

http://www.symantec.com/business/support/index?page=content&id=TECH229178

Issue

In attempting to encrypt a Mac OS X 10.10 Yosemite system with Symantec Drive Encryption 10.3., the following error occurs:【PGPError :116385】

Error

“An error occurred while encrypting your disk:
PGPError :116385”

image

In addition to receiving the above error, a prompt will continuously pop up indicating changes are needed.  When Symantec Drive Encryption has been installed properly, this pop up should never be displayed:

image

Cause

The reason this happens is the permissions set for the /Library/PrivilegedHelperTools directory is not set according to what is needed for Symantec Drive Encryption 10.3.2.  This condition typically happens when Microsoft Office 2011 has been installed prior to Symantec Drive Encryption, but only on Yosemite.  Previous versions of Mac OS X (such as Mavericks), Office 2011 and Symantec Drive Encryption are unaffected by this issue.

Solution

The workaround for this is to run the following command via Terminal and then install Symantec Drive Encryption:

sudo chown 0:wheel /Library/PrivilegedHelperTools/

Once the above command is run, type in the Mac Admin password to allow the permission change to occur.  Once the command is completed successfully, the permissions for the group “wheel” will be assigned, instead of “Admin”.

To confirm the appropriate permissions have been set, run the following command:

ls -al /Library/PrivilegedHelperTools/

The following permissions will be displayed to confirm the correct permissions have been set:

image

 

Running the following command can also confirm proper permissions have been set::

stat /Library/PrivilegedHelperTools/

image

The permission of “root wheel" should be displayed as seen in the example.

If this entry still says “root admin”, the command did not work.  Check the syntax and retry the command.

Alternatively, checking the properties of the /Library/PrivilegedHelperTools/ properties via Finder will show the following correct permissions:

image

Once the permissions have been set properly, uninstall Symantec Drive Encryption if installed, and then install the application.  This time, Drive Encryption should succeed.

Symantec Development is currently working into this for a final resolution.  Subscribe to this article for any future updates with this issue.

Unable Access Second Partition After Formatting Primary Partition

Issue

On a whole disk encrypted a disk with two partitions, the second partition is inaccessible after formatting the primary partition without decrypting the disk.  

Warning: Do not re-encrypt the C: Drive as this will result in overwriting the session key and PGPWDE01 file which contains the drive encryption information and makes the disk unrecoverable.

Environment
  • 2 partitions on an internal hard disk (C: and D: )
  • Both partitions are PGP Whole Disk Encrypted
  • The C: partition is formatted without decrypting the drive
Solution

To resolve this issue, you must attached the disk to another computer with PGP Desktop installed. Then use the pgpwde command line interface to decrypt the disk.

Use the following steps:

1. Open a Windows Command Prompt.

2. Change to the following directory C:\Program Files\PGP Corporation\PGP Desktop

3. Type pgpwde –recover -d 1 –passphrase “your passphrase" and press Enter.

(Assuming that the D: drive is the disk number “1”)

Drive Encryption Diagnosis and Recovery

Drive Encryption Diagnosis and Recovery – Symantec Drive Encryption & PGP Whole Disk Encryption

http://www.symantec.com/business/support/index?page=content&id=TECH149679

Issue

This article provides tools and steps to diagnose and recover disks that are encrypted with Symantec Drive Encryption (previously PGP Whole Disk Encryption). 

Solution

Section 1 describes some symptoms that users with encrypted disk problems may encounter.  Section 2 provides procedures for using the PGPWDE command line interface. Section  3 details use of the Recovery Disk.

Note: If a system hard disk has been “fully" decrypted, and will not boot, make sure to slave the disk and backup all your data, or use bit-by-bit copy of the disk. Connect the hard disk back to system and run the fixmbr command from the Windows Recovery Console from a Windows XP installation CD.

SECTION 1 – Symptoms

On rare occasions internal or external disks that are encrypted may experience the following issues:

  • Inability to decrypt or read the contents of a secondary or non-system disk.
  • System displays “Error loading operating system_" after entering the passphrase at the PGP BootGuard screen.
  • Master Boot Record (MBR) corruption causing the system to no longer boot.
  • After starting the system with the hard disk encrypted to a passphrase and an eToken, valid passphrases are not accepted.

1. Users able to access their encrypted disk from Windows should proceed to Section 2.
2. Users unable to access their disk from Windows or who are unable to boot should proceed to
Section 3.

SECTION 2 – PGPWDE Command Line

The following commands will help diagnose and decrypt the disk. Other commands can be listed by typing pgpwde –help.
1. To begin working with the PGPWDE command line tool, open a command prompt and change to the PGP installation directory (default directory shown) C:\Program Files\PGP Corporation\PGP desktop.
2. To list all installed hard disks in the system type: pgpwde –enum. Entering this command displays a list of disks which the following steps reference.
3. Type pgpwde –status –disk 1. In the command, substitute the PGP WDE disk number listed in the previous step for the number 1 if it is different. The output of this command tells you whether the disk is still encrypted. 

  • If the disk is not encrypted, “Disk <number> is not instrumented by bootguard" will be the output.
  • If the disk is encrypted, the output will display:
    “Disk <number> is instrumented by Bootguard."
    The total number of sectors.
    A Highwater value (number of sectors encrypted).
  • Whether the current key is valid.

4. Type pgpwde –list-user –disk 1. This provides the user information contained on the disk. This will help in multi-user environments to determine which user passphrase was used for Drive Encryption.
5. Type pgpwde –decrypt –disk 1 –passphrase {MYPASSWORDHERE}. This will start the decryption process. To view progress, type the status command listed in step 3 and note the Highwater number. This number will get smaller and smaller as the number of sectors encrypted decreases. 

6. In case if your primary partition was formatted and your secondary partition is still encrypted, you may try to recover it by following TECH170574.

SECTION 3 – Using Recovery Disk Images (bootg.iso or bootg.img)

Warning: Use of the recovery disks should be used as the last step when attempting recovery.  Should there be a power loss while decrypting with the recovery disk, the result to the disk could be fatal and non-recoverable. It is also highly recommended to use the latest recovery disk available for the version you are running.
Recovery Images can be obtained by following the links below:

Windows

Mac OS X

Caution: Users with extended partitions on their hard disks that were encrypted should ONLY use the latest available Recovery disk for your version. Prior versions could cause these partitions to no longer be visible to Windows after fully decrypting the disk.
Once you have started to decrypt a disk or partition using a recovery CD, do not stop the decryption process. Depending on the size of the disk being decrypted, this process can take a long time. A faster way to decrypt the drive is to use another system that has the same version of Encryption Desktop\PGP Desktop installed on it.

Use the Recovery Disk with the following instructions if experiencing blue screen failures at boot up:
1. Boot the system with the recovery disk.
2. Do not continue with the normal sequence of entering a passphrase.
3. Go to the “advanced" panel.
4. This message “PGPWDE record inconsistency on 1 disk(s) was found and fixed" might be displayed. If this message is seen, the BSOD (blue screen failure) will be fixed.
5. Return back to the previous screen and continue to boot from the recovery CD. Rebooting without the Recovery Disk in the drive also works.

Use the Recovery Disk with the following instructions should the system not boot into Windows for any other reasons:

The Symantec Encryption Desktop for Windows User’s Guide provides instructions for creating recovery disks. 

  1. Boot the system with the recovery disk.
  2. When prompted, press any key to continue. Drive Encryption Recovery searches for user records and prompts to press any key when the records are found.
  3. Press any key to continue.
  4. On the PGP BootGuard screen, enter the passphrase and user name, if required.
  5. Press D to decrypt the drive. Drive Encryption Recovery starts decrypting your disk.

Note: Decrypting using a Recovery disk might take considerably more time than it does from within Windows.

安裝好 PGP Desktop E-mail 後,outlook 無法發信出現【PGP Universal service not available】

安裝好 PGP Desktop E-mail 後,outlook 無法發信出現【PGP Universal service not available】

image

請將 Outgoing Mail Server (SMTP) 中,SSL/TLS 下拉改選【Do not attempt】即可解決

[點圖可放大]

image

 

【其他的除錯步驟】

1.Exit PGP Services 後,確認 Outlook 寄信是否正常,若仍不正常則可能是原始 mail client 設定有問題
 
image

 

2. 刪除重建 PGP Desktop E-mail service

image

3.提供用戶端 log

image

4.Enterprise Support – Symantec Corp. – Troubleshooting: PGP Messaging Services for PGP Desktop 10 for Windows
http://www.symantec.com/business/support/index?page=content&id=TECH149647

 

By default, PGP Desktop automatically determines your email account settings and creates a PGP Messaging service that proxies messaging for that email account.

Because of the large number of possible email account settings and mail server configurations, on some occasions a messaging service that PGP Desktop automatically creates may not work quite right.

 

If PGP Desktop has created a messaging service that is not working right for you, one or more of the following items may help correct the problem:

Verify that you can both connect to the Internet and send and receive email with PGP Services stopped. To do this:
Right-click the PGP Desktop Tray icon and select Stop PGP Services from the list of commands.

Note: You should always restart your email client after starting or stopping PGP Services.
Read the PGP Desktop Release Notes for the version of PGP Desktop you are using to see if your problem is a known issue.

Make sure SMTP authentication is enabled for the email account (in your email client). This is recommended for PGP Desktop to proxy your messaging. If you only have one email account and you are not using PGP Desktop in a PGP Universal Server-managed environment, then SMTP authentication is not needed. It is required when using a PGP Universal Server as your SMTP server, or when you have multiple email accounts on the same SMTP server.

Open the PGP Log to see if the entries offer any clues as to what the problem might be.

If SSL/TLS is enabled in your email client, you must disable it there if you want PGP Desktop to proxy your messaging. (This does not leave the connection to and from your mail server unprotected; by default PGP Desktop automatically attempts to upgrade any unprotected connection to SSL/TLS protection. The mail server must support SSL/TLS for the connection to be protected.)

If either Require STARTTLS or Require SSL is selected (in the SSL/TLS settings of the Server Settings dialog box) your mail server must support SSL/TLS or PGP Desktop will not send or receive any messages.

If your email account uses non-standard port numbers, make sure these are included in the settings of your messaging service.

If PGP Desktop is creating multiple messaging services for one email account, use a wild card for your mail server name.

Delete the PGP Messaging service that is not working correctly and send/receive email. PGP Desktop regenerates the messaging service.
If none of these items help correct the problem, try manually creating a PGP Messaging Service.

5.
http://www.symantec.com/connect/forums/not-working-outbound-mail-encryption-outlook-2010-pgp-1021

Please reread the PGP Release Notes for any known conflict or settings adjustments that may be needed for your system.

Although I don’t see Norton 360 specifically mentioned, the following quote may offer guidance that might also help with Norton 360 use.

Symantec Norton AntiVirus 9.x through 10.x, Symantec Norton Internet Security 2003, Symantec Norton Internet Security 2004
Disable email scanning.
For Norton Internet Security users, disable Norton Privacy Control and Spam Alert.
Disable SSL/TLS in Server Settings in PGP Desktop and PGP Universal Satellite. (In PGP Desktop, select the PGP Messaging Control Box and then choose Messaging > Edit Server Settings. For SSL/TLS, select Do Not Attempt. In PGP Universal Satellite, on the Policies tab, select Ignore SSL/TLS.) These versions of Norton AntiVirus prevent all mail clients from using SSL/TLS, regardless of the use of PGP software.

Symantec Norton AntiVirus 11.x through 12.x, Symantec Norton Internet Security 2005, Symantec Norton Internet Security 2006
No special configuration required for MAPI email.
When using POP email, enable Auto-Protect and disable the Anti-Spam and Email Scanning options. Auto-Protect, which is enabled by default, provides protection against viruses in email messages when the message is opened.
Disable SSL/TLS in Server Settings in PGP Desktop or PGP Universal Satellite. (In PGP Desktop, select the PGP Messaging Control Box and then choose Messaging > Edit Server Settings. For SSL/TLS, select Do Not Attempt. In PGP Universal Satellite, on the Policies tab, select Ignore SSL/TLS.) These versions of Norton AntiVirus prevent all mail clients from using SSL/TLS, regardless of the use of PGP software.

新安裝之Mac OS X 10.10.0註冊後,在Userlist莫名出現其他使用者ID的問題

這樣的問題可能是 使用者ID 在還原檔已存在

請參考以下畫面在該 Mac 機器中,移除 [ 其他使用者的 ] key pair

移除金鑰檔 (若有需要請先備份金鑰檔)

點選桌面左上方【Encryption Desktop】,並按下【Quit Encryption Desktop】

image

image

(1) 開啟 【PGP】資料夾

image

(2) 將 【.skr 檔】備份至其他位置或刪除

image

WinPE 4.0 5.0 5.1整合 PGP 光碟製作

1.    關於新版 WinPE 整合 PGP 光碟製作請參考以下網址
How to Customize Windows PE 4.0 and above using Symantec Encryption Desktop 10.3.2 and PGPRecoveryGUI.exe
http://www.symantec.com/business/support/index?page=content&id=HOWTO95227
內容包含
(1)    Customizing Windows PE 4.0/5.0 for 32-bit Windows Environment
(2)    Customizing Windows PE 4.0/5.0 for 64-bit Windows Environment
(3)    How to make customized WinPE as a bootable .iso file or CD/UFD

2.    Download 適用於 Windows 8.1 更新的 Windows 評定及部署套件 (Windows ADK) from Official Microsoft Download Center
http://www.microsoft.com/zh-tw/download/details.aspx?id=39982

3.   
適用於 Windows 8 的 WinPE:Windows PE 5.0
https://technet.microsoft.com/zh-tw/library/hh825110.aspx

將 WinPE 5.0 更新為 WinPE 5.1
https://technet.microsoft.com/zh-tw/library/dn613859.aspx

 

Enterprise Support – Symantec Corp. – Windows PE customization for Symantec Encryption (PGP) – Index of documents

http://www.symantec.com/business/support/index?page=content&id=TECH215515