How to Decrypt a Drive with Symantec Endpoint Encryption
search cancel

How to Decrypt a Drive with Symantec Endpoint Encryption

book

Article ID: 151447

calendar_today

Updated On:

Products

Endpoint Encryption Drive Encryption

Issue/Introduction

This article will outline how to decrypt a drive with Symantec Endpoint Encryption remotely as well as manually.
 

Resolution

It is not recommended to decrypt systems for most reasons.  Decrypting will attempt to convert encrypted sectors to decrypted, and once decrypted, the system is in its most vulnerable state.
Decryption is also an irreversible process and should be done within a controlled environment to minimize exposure with your sensitive data. 
Instead of decrypting, reach out to Symantec Encryption Support for guidance.

Even in recovery situations, it is always recommended to leave the system encrypted, and attempt to authenticate the disk you are working with.

In most cases, it is not necessary to decrypt.  If you are sure decryption is the desired process, there are a few ways to address this. 

 

 

Decryption can be done in three ways:

 

  1. Local Method: When logging into the encrypted machine using the Symantec Endpoint Encryption Client Admin and opening the Client Console the option to decrypt the machine can be done manually.
  2. Server Commands Method: Provides the ability for an administrator to right-click a machine from the SEE Management Console and decrypt specific machines remotely.
  3. Remote/Policy Method: Create a GPO policy or SEE Native policy, and apply it to all the machines which are in the location in the Symantec Endpoint Encryption Manager. The remote decryption policy is used by policy administrators to decrypt all encrypted disk partitions on computers protected by Symantec Endpoint Encryption-Full Disk without having to physically send a client administrator to the location(s) of the computers.
     

1. Local Method

TIP: Make sure the system is plugged into AC power in order to encrypt or decrypt systems.

1. First open the Symantec Endpoint Encryption Client Administrator from the Start menu:

 

Confirm the User Account Control dialog to permit the SEE Client Administrator to open.

 

2. Enter the credentials for the SEE Client Administrator:

 

3. Click the Internal Drives tab to see the disks available.  On the right side, click the chevron  expansion symbol  to show all the disks.

Next, check the box next to the drive you wish to decrypt, and click "Decrypt":

Important tip: If you have multiple disks, such as a C: (boot) drive and a D: (data) drive, decrypt the D drive first:

 

4. The disk shows now be decrypting:

 

2. Server Commands Method to Decrypt a machine

WARNING: This is a highly sensitive setting and could result in all your machines being decrypted unintentionally.  Do NOT modify any existing policies with this setting.  Symantec recommends instead to decrypt systems on an as-needed basis using the local method.  

In order to decrypt a system via the server commands, login go the SEE Management Console, find the machine using the Computer Status Report, right click the machine and then select the option to decrypt:

Once a machine is decrypting, it is not possible to reverse the process so proceed with extreme caution.

 

 

3. Using a Decryption Policy via GPO or SEE Native policy

WARNING: This is a highly sensitive setting and could result in all your machines being decrypted unintentionally.  Do NOT modify any existing policies with this setting.  It is always recommended to create  separate SEE Native policy and assign designated machines to this policy for the sole purpose of decrypting.  Symantec recommends instead to decrypt systems on an as-needed basis using the local method.  If that is not possible, using the Server Commands and decrypting a single machine is then recommended.  This option should be used only when using extreme caution.


Using the SEE Native policy, it is highly recommended to create a separate group to assign machines to for the sole purpose of decrypting.

 

 

Using a Remote Decryption policy to decrypt machines

WARNING: This is a highly sensitive setting and could result in all your machines being decrypted unintentionally.  Do NOT modify any existing policies with this setting.  It is always recommended to create  separate GPO and assign machines to this GPO for the sole purpose of decrypting.  Symantec recommends instead to decrypt systems on an as-needed basis using the local method.  If that is not possible, using the Server Commands and decrypting a single machine is then recommended.  This option should be used only when using extreme caution.

  1. Right-click Group Policy Objects on the navigation tree.
  2. Click New. The New GPO (Group Policy Object Editor) window displays.
  3. Type the name of the Group Policy Object you wish to create.
  4. Click OK. The new Group Policy Object you created is displayed in the navigation tree.
  5. Right-click the new Group Policy Object on the navigation tree.
  6. Click Edit. The Group Policy Object Editor (GPOE) displays.
  7. Click Software Settings, Symantec Endpoint Encryption, Drive Encryption, Remote Decryption.
  8. Select the Change this Setting option.
  9. Select Decrypt all disk partitions.


  10. Click Save.
  11. Close the GPOE window.
  12. Drag and drop to link the policy to the target location containing the computers you wish to decrypt.
  13. Restart the computers receiving this computer policy to cause it to take effect.
  14. Monitor decryption progress using the Client Monitor.


    Warning: Although decryption of all disk partitions begins immediately after the remote decryption policy has been processed on the client computer, remote decryption is a computer policy which is only processed at boot time.

 

 

 

 

 

 

 

 

 



Additional Information

How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

Symantec Encryption Products Current Version Available

What's New with Symantec Endpoint Encryption 11.4 and 11.3.1