How to use a Disk Administrator Key with Symantec Encryption Desktop and Symantec Encryption Management Server
Last Updated October 01, 2013
One of the Consumer Policy options in SEMS (Symantec Encryption Management Server) is as follows:
Encrypt Windows Drive Encryption disks and PGP Virtual Disks to a Disk Administrator Key. Import a public PGP key file that may be used to access a Whole Disk Encrypted disk or PGP Virtual Disk. Accessing the disk requires the private portion of the PGP key to be on a supported smart card.
Adding a disk administrator key to encrypted disks is a method of recovering from situations where a user forgets their Bootguard passphrase. It provides an alternative or addition to the Disk Administrator passphrase and the WDRT (Whole Disk Recovery Token).
One advantage to using a token is that it can be protected by physical security, eg, kept in a locked safe.
An example of a supported device is the Athena ASEKey Crypto USB Token (also known as the ASEKey Crypto SIM Token) which is an integrated SIM format smart card and SIM reader.
To use this USB token the steps are as follows:
Insert the token into a USB slot on a Windows machine running SED (Symantec Encryption Desktop).
Install the IDProtect Manager software that is provided with the token.
Run the IDProtect Format application to format the token. The default PIN is 11111111.
Open SED and under the Keys section on the left of the main window you should see Smartcard keys. If you do not, then the token is not installed properly.
From the File menu choose New PGP Key.
The PGP Key Generation Assistant will start.
At the bottom of the first screen enable the option: Generate Key on Token: Athena Smartcard Solutions ASECard Crypto.
Create the key using the Key Generation Assistant. The key will be stored on the token.
Export the public key by right clicking on the key and choosing Copy Public Key or exporting to file.
On the SEMS, edit the appropriate Consumer Policy and import the public key as a Disk Administrator Key.
Users of this policy will have the Disk Administrator Key added to their encrypted disks.
To authenticate at Bootguard, insert the token and if the Simple Bootguard authentication is being used, enter the PIN as the passphrase and press CTRL+Enter. This will cause the key on the token to be read and authentication to take place. If Detailed Bootguard authentication is being used, press F7 to enter the PIN and press Enter.
It is important to test that the token can be used to authenticate at Bootguard in your environment. Some hardware may not work correctly and during informal testing it was found that PGP Desktop 10.2.1 did not work correctly at Bootguard.
Note that while Bootguard passphrases can be locked out if the appropriate Consumer Policy setting is enabled, this does not apply to the disk administrator key.
If token authentication does not work at Bootguard, the disk can be accessed and decrypted by slaving the disk to another machine that has the token and the management software installed. Then use the pgpwde command line program.
For example, enter the following command to authenticate to disk 1 where the Administrator Key ID is 0xAB12C345 and the PIN is 11111111: