分類：PGP

Issue

On a whole disk encrypted a disk with two partitions, the second partition is inaccessible after formatting the primary partition without decrypting the disk.  

Warning: Do not re-encrypt the C: Drive as this will result in overwriting the session key and PGPWDE01 file which contains the drive encryption information and makes the disk unrecoverable.

Environment

• 2 partitions on an internal hard disk (C: and D: )
• Both partitions are PGP Whole Disk Encrypted
• The C: partition is formatted without decrypting the drive

Solution

To resolve this issue, you must attached the disk to another computer with PGP Desktop installed. Then use the pgpwde command line interface to decrypt the disk.

Use the following steps:

1. Open a Windows Command Prompt.

2. Change to the following directory C:\Program Files\PGP Corporation\PGP Desktop

3. Type pgpwde –recover -d 1 –passphrase “your passphrase" and press Enter.

(Assuming that the D: drive is the disk number “1”)

Drive Encryption Diagnosis and Recovery – Symantec Drive Encryption & PGP Whole Disk Encryption

http://www.symantec.com/business/support/index?page=content&id=TECH149679

Issue

This article provides tools and steps to diagnose and recover disks that are encrypted with Symantec Drive Encryption (previously PGP Whole Disk Encryption). 

Solution

Section 1 describes some symptoms that users with encrypted disk problems may encounter.  Section 2 provides procedures for using the PGPWDE command line interface. Section  3 details use of the Recovery Disk.

Note: If a system hard disk has been “fully" decrypted, and will not boot, make sure to slave the disk and backup all your data, or use bit-by-bit copy of the disk. Connect the hard disk back to system and run the fixmbr command from the Windows Recovery Console from a Windows XP installation CD.

SECTION 1 – Symptoms

On rare occasions internal or external disks that are encrypted may experience the following issues:

• Inability to decrypt or read the contents of a secondary or non-system disk.
• System displays “Error loading operating system_" after entering the passphrase at the PGP BootGuard screen.
• Master Boot Record (MBR) corruption causing the system to no longer boot.
• After starting the system with the hard disk encrypted to a passphrase and an eToken, valid passphrases are not accepted.

1. Users able to access their encrypted disk from Windows should proceed to Section 2.
2. Users unable to access their disk from Windows or who are unable to boot should proceed to
Section 3.

SECTION 2 – PGPWDE Command Line

The following commands will help diagnose and decrypt the disk. Other commands can be listed by typing pgpwde –help.
1. To begin working with the PGPWDE command line tool, open a command prompt and change to the PGP installation directory (default directory shown) C:\Program Files\PGP Corporation\PGP desktop.
2. To list all installed hard disks in the system type: pgpwde –enum. Entering this command displays a list of disks which the following steps reference.
3. Type pgpwde –status –disk 1. In the command, substitute the PGP WDE disk number listed in the previous step for the number 1 if it is different. The output of this command tells you whether the disk is still encrypted. 

• If the disk is not encrypted, “Disk <number> is not instrumented by bootguard" will be the output.
• If the disk is encrypted, the output will display:
  “Disk <number> is instrumented by Bootguard."
  The total number of sectors.
  A Highwater value (number of sectors encrypted).
• Whether the current key is valid.

4. Type pgpwde –list-user –disk 1. This provides the user information contained on the disk. This will help in multi-user environments to determine which user passphrase was used for Drive Encryption.
5. Type pgpwde –decrypt –disk 1 –passphrase {MYPASSWORDHERE}. This will start the decryption process. To view progress, type the status command listed in step 3 and note the Highwater number. This number will get smaller and smaller as the number of sectors encrypted decreases. 

6. In case if your primary partition was formatted and your secondary partition is still encrypted, you may try to recover it by following TECH170574.

SECTION 3 – Using Recovery Disk Images (bootg.iso or bootg.img)

Warning: Use of the recovery disks should be used as the last step when attempting recovery.  Should there be a power loss while decrypting with the recovery disk, the result to the disk could be fatal and non-recoverable. It is also highly recommended to use the latest recovery disk available for the version you are running.
Recovery Images can be obtained by following the links below:

Windows

• PGP Desktop 9.0.x – 9.7.x for Windows Recovery Disk Images http://www.symantec.com/docs/TECH156339
• PGP Desktop 9.8.x – 9.12.x for Windows Recovery Disk Images http://www.symantec.com/docs/TECH148915
• PGP Desktop 10.0.x and 10.1.x for Windows Recovery Disk Images http://www.symantec.com/docs/TECH152604
• PGP Desktop 10.2.x for Windows Recovery Disk Imageshttp://www.symantec.com/docs/TECH176201
• Symantec Drive Encryption 10.3 for Windows Recovery Disk Images http://www.symantec.com/docs/TECH199905
• Symantec Drive Encryption 10.3.1 for Windows Recovery Disk Images http://www.symantec.com/docs/TECH210465
• Symantec Drive Encryption 10.3.2 for Windows Recovery Disk Images http://www.symantec.com/docs/TECH214378

Mac OS X

• PGP Desktop 10.1.x for Mac OS X Recovery Disk Images http://www.symantec.com/docs/TECH152610
• PGP Desktop 10.2.0 for Mac OS X Recovery Disk Images http://www.symantec.com/docs/TECH176187
• PGP Desktop 10.2.1 for Mac OS X Recovery Disk Images http://www.symantec.com/docs/TECH197687
• Symantec Drive Encryption for Mac OS X Recovery Disk Images 10.3.0http://www.symantec.com/docs/TECH199906
• Symantec Drive Encryption for Mac OS X Recovery Disk Images 10.3.1http://www.symantec.com/docs/TECH210464
• Symantec Drive Encryption for Mac OS X Recovery Disk Images 10.3.2http://www.symantec.com/docs/TECH214377

Caution: Users with extended partitions on their hard disks that were encrypted should ONLY use the latest available Recovery disk for your version. Prior versions could cause these partitions to no longer be visible to Windows after fully decrypting the disk.
Once you have started to decrypt a disk or partition using a recovery CD, do not stop the decryption process. Depending on the size of the disk being decrypted, this process can take a long time. A faster way to decrypt the drive is to use another system that has the same version of Encryption Desktop\PGP Desktop installed on it.

Use the Recovery Disk with the following instructions if experiencing blue screen failures at boot up:
1. Boot the system with the recovery disk.
2. Do not continue with the normal sequence of entering a passphrase.
3. Go to the “advanced" panel.
4. This message “PGPWDE record inconsistency on 1 disk(s) was found and fixed" might be displayed. If this message is seen, the BSOD (blue screen failure) will be fixed.
5. Return back to the previous screen and continue to boot from the recovery CD. Rebooting without the Recovery Disk in the drive also works.

Use the Recovery Disk with the following instructions should the system not boot into Windows for any other reasons:

The Symantec Encryption Desktop for Windows User’s Guide provides instructions for creating recovery disks. 

1. Boot the system with the recovery disk.
2. When prompted, press any key to continue. Drive Encryption Recovery searches for user records and prompts to press any key when the records are found.
3. Press any key to continue.
4. On the PGP BootGuard screen, enter the passphrase and user name, if required.
5. Press D to decrypt the drive. Drive Encryption Recovery starts decrypting your disk.

Note: Decrypting using a Recovery disk might take considerably more time than it does from within Windows.

安裝好 PGP Desktop E-mail 後,outlook 無法發信出現【PGP Universal service not available】

請將 Outgoing Mail Server (SMTP) 中，SSL/TLS 下拉改選【Do not attempt】即可解決

[點圖可放大]

 

【其他的除錯步驟】

1.Exit PGP Services 後，確認 Outlook 寄信是否正常，若仍不正常則可能是原始 mail client 設定有問題
 

 

2. 刪除重建 PGP Desktop E-mail service

3.提供用戶端 log

4.Enterprise Support – Symantec Corp. – Troubleshooting: PGP Messaging Services for PGP Desktop 10 for Windows
http://www.symantec.com/business/support/index?page=content&id=TECH149647

 

By default, PGP Desktop automatically determines your email account settings and creates a PGP Messaging service that proxies messaging for that email account.

Because of the large number of possible email account settings and mail server configurations, on some occasions a messaging service that PGP Desktop automatically creates may not work quite right.

 

If PGP Desktop has created a messaging service that is not working right for you, one or more of the following items may help correct the problem:

Verify that you can both connect to the Internet and send and receive email with PGP Services stopped. To do this:
Right-click the PGP Desktop Tray icon and select Stop PGP Services from the list of commands.

Note: You should always restart your email client after starting or stopping PGP Services.
Read the PGP Desktop Release Notes for the version of PGP Desktop you are using to see if your problem is a known issue.

Make sure SMTP authentication is enabled for the email account (in your email client). This is recommended for PGP Desktop to proxy your messaging. If you only have one email account and you are not using PGP Desktop in a PGP Universal Server-managed environment, then SMTP authentication is not needed. It is required when using a PGP Universal Server as your SMTP server, or when you have multiple email accounts on the same SMTP server.

Open the PGP Log to see if the entries offer any clues as to what the problem might be.

If SSL/TLS is enabled in your email client, you must disable it there if you want PGP Desktop to proxy your messaging. (This does not leave the connection to and from your mail server unprotected; by default PGP Desktop automatically attempts to upgrade any unprotected connection to SSL/TLS protection. The mail server must support SSL/TLS for the connection to be protected.)

If either Require STARTTLS or Require SSL is selected (in the SSL/TLS settings of the Server Settings dialog box) your mail server must support SSL/TLS or PGP Desktop will not send or receive any messages.

If your email account uses non-standard port numbers, make sure these are included in the settings of your messaging service.

If PGP Desktop is creating multiple messaging services for one email account, use a wild card for your mail server name.

Delete the PGP Messaging service that is not working correctly and send/receive email. PGP Desktop regenerates the messaging service.
If none of these items help correct the problem, try manually creating a PGP Messaging Service.

5.
http://www.symantec.com/connect/forums/not-working-outbound-mail-encryption-outlook-2010-pgp-1021

Please reread the PGP Release Notes for any known conflict or settings adjustments that may be needed for your system.

Although I don’t see Norton 360 specifically mentioned, the following quote may offer guidance that might also help with Norton 360 use.

Symantec Norton AntiVirus 9.x through 10.x, Symantec Norton Internet Security 2003, Symantec Norton Internet Security 2004
Disable email scanning.
For Norton Internet Security users, disable Norton Privacy Control and Spam Alert.
Disable SSL/TLS in Server Settings in PGP Desktop and PGP Universal Satellite. (In PGP Desktop, select the PGP Messaging Control Box and then choose Messaging > Edit Server Settings. For SSL/TLS, select Do Not Attempt. In PGP Universal Satellite, on the Policies tab, select Ignore SSL/TLS.) These versions of Norton AntiVirus prevent all mail clients from using SSL/TLS, regardless of the use of PGP software.

Symantec Norton AntiVirus 11.x through 12.x, Symantec Norton Internet Security 2005, Symantec Norton Internet Security 2006
No special configuration required for MAPI email.
When using POP email, enable Auto-Protect and disable the Anti-Spam and Email Scanning options. Auto-Protect, which is enabled by default, provides protection against viruses in email messages when the message is opened.
Disable SSL/TLS in Server Settings in PGP Desktop or PGP Universal Satellite. (In PGP Desktop, select the PGP Messaging Control Box and then choose Messaging > Edit Server Settings. For SSL/TLS, select Do Not Attempt. In PGP Universal Satellite, on the Policies tab, select Ignore SSL/TLS.) These versions of Norton AntiVirus prevent all mail clients from using SSL/TLS, regardless of the use of PGP software.

1.  How long will the Symantec Encryption Management Server purge the logs?
The SEMS purge the logs in 1months time.

2. Where can I set the purge interval and find the logs percentage of hard disk usage?
You can set the purge time of the logs in the crontab.

---

In /etc/crontab edit the line

0 0 * * * root /usr/bin/pgpdellog.pl —days=30 /var/log/ovid >& /dev/null

and either change it to the desired value (–days=XX)

or comment the entry completely if the logs may not be deleted.
(by adding a # in front)

Depending on the requirements another solution might be to retain regular backups (which also contain the logfiles).

---

3. Location of the logs are available at 2 places1

(1) /var/log/ – General system logs
(2) /var/log/ovid/ – pgp process logs

4.If you want to list the size of the folder size please use
du -sh* or du -sh /var/log/ovid

You can use winscp to copy the logs from the linux machine to the windows and then delete the logs manually from the specifc location as mentioned above.
Please do not delete the parent location but only the logs inside the parent folder.

PGP 主控台更新時，如何關閉用戶端的升級通知

Symantec™ Endpoint Encryption 授權移轉聲明

2014年10月6日

通知 ID： SEE11-80188309-N-2xxxxxx

客戶編號： 60xxxxxx

銷售訂單號: 21xxxxxx

xxxxxxxxxxxxxxxxx. LTD

致以下產品客戶：

Symantec Drive Encryption Symantec Drive Encryption with Encryption Management Server Limited Symantec Drive Encryption with Encryption Management Server Symantec Drive Encryption FlexChoice with Encryption Server Limited Symantec Drive Encryption FlexChoice with Encryption Server Symantec Drive and Removable Storage Encryption FlexChoice with Encryption Server Limited Symantec Endpoint Encryption Removable Storage Edition Symantec CAPS Activation Package for Whole Disk Encryption Symantec PGP Universal Server and Whole Disk Encryption for Servers

本公司很榮幸在此宣布，我們將於 2014 年 10 月 6 日推出以 PGP 技術為後盾的 Symantec Endpoint Encryption 11.0。 此全新版本可整合並簡化我們的產品，而且 只需單一授權即可涵蓋磁碟與抽取式媒體加密及可擴充管理功能。

享有上述產品現有維護服務的客戶將可等比例自動移轉至以 PGP 技術為後盾的 Symantec Endpoint Encryption。 此變更並不影響您目前的部署，而且您也無須採取任何行動。

如果不想升級現有的實作至新產品，您可以繼續使用現有的端點式加密用戶端與管理伺服器。 您現有的實作將於新的混合產品環境中搭配新產品使用。

Symantec Endpoint Encryption 與移轉的相關詳細資訊如下： http://www.symantec.com/docs/HOWTO101492

授權

不會停止供應任何產品。如果有需要，可參考以下授權碼解除產品鎖定，以及用於從 FileConnect 存取檔案的序號。

注意：如先前所述，您可繼續使用目前的加密用戶端和管理伺服器。藉由採用 PGP 技術的 Symantec Endpoint Encryption， 您有資格免費獲得 Symantec Drive Encryption 及 Symantec Encryption Management Server。

產品	數量	授權碼	序號
以 PGP 技術為後盾的 Symantec Endpoint Encryption 11.0	40	N/A – 不適用	M3755xxxxxx
含 Symantec Encryption Management Server 3.3	Dxxxx-xxxxx-LZPLV-9R5Y1-6ETKF-VUA
Symantec Drive Encryption 10.3 (獨立/未受管理)	Dxxxx-xxxxx-FTPFW-YL3VW-X7ZMX-AJC

下載賽門鐵克軟體

請使用上表的序號存取 FileConnect 中的產品。

支援

您的技術支援體驗不會變更，仍可繼續享有目前擁有的各項產品支援。

賽門鐵克致力於協助客戶使用賽門鐵克解決方案達到事業上的成功。若您對於本通知中的內容有任何問題， 請聯絡您的賽門鐵克合作夥伴或賽門鐵克企業業務經理。

感謝您使用賽門鐵克公司的產品與服務。

敬祝商祺

賽門鐵克公司

實用聯絡資訊︰

注意： 請勿回覆此電子郵件，因為它是系統自動產生的，而且此信箱無人監控。請改用以下客戶服務中心連結請求協助。

客戶服務中心：

http://www.symantec.com/zh/tw/business/support/assistance_care.jsp

若要深入瞭解賽門鐵克產品，請造訪：

http://www.symantec.com/zh/tw/

若要尋找當地的技術支援中心聯絡資訊，請造訪︰

http://www.symantec.com/zh/tw/business/support/techsupport_global.jsp

無法讀取此電子郵件？	閱讀線上版本

使用下列語言檢視這封電子郵件：

English | Deutsch | Español | Français | Italiano | Português | 繁體中文 | 简体中文 | 한국어

Surface Pro 3 安裝 PGP 全硬碟加密並完成加密，但回復原廠預設值後仍跳出註冊與 unlock disk 畫面

重開機後仍出現 BootGuard 驗證頁面

輸入第一次加密的 passphrase 仍無法通過驗證，之後出現以下頁面

試過格式化、重新以授權光碟重新安裝都有問題

【解決方案】

1.Surface Pro 3 安裝 PGP 全硬碟加密並完成加密，欲回復原廠預設值前請先進行解密

2.如果未解密便回復原廠預設值，請您參照以下方式將 Surface Pro 3 復原

【About Surface pro 3】下載 Microsoft Surface 適用的復原映像

必須要先以 Windows Live ID 註冊 Surface Pro 3，並以此 Windows Live ID 登入以下頁面，網頁會依據您註冊的 Surface Pro 版本提供您正確的 Surface Pro Image 來還原

http://www.microsoft.com/surface/zh-tw/support/warranty-service-and-recovery/downloadablerecoveryimage

註：Surface Pro 3 的硬碟配置