Best Practices for Data Recovery using Symantec Endpoint Encryption - Full Disk (SEE-FD)
Last Updated September 09, 2011
When a computer encrypted with Symantec Endpoint Encryption - Full Disk experiences a failure of any type, it is the policy of Symantec Technical Support to use a step-by-step approach to attempt to access and backup the computer’s encrypted files prior to any attempts to restore the system so as to protect against possible data loss during the repair process.
IMPORTANT NOTE: Symantec highly recommends that you contact technical support at the earliest possible convenience when dealing with a technical issue that involves critical data. Please document all events that preceded the problem, list any actions taken, and error messages encountered.
The Recovery Process Steps Summary:
It is recommended that the following actions take place in the order listed for the best possible chance at recovering data. 1. Contact your internal help desk for assistance. 2. Contact Symantec Technical Support for assistance. 3. Run “Recover /a”. 4. Run the SEE Hard Disk Access utility and back up any data. 5. Perform a Hard Drive consistency check. 6. Perform a hard drive backup using a “sector by sector” copy method. 7. Run “Recover /d” emergency decryption.
Contacting internal help desk (Step 1)
Contact your internal help desk for assistance
Contacting Symantec (Step 2)
Contact Symantec Technical Support for assistance.
Run “Recover /a” (Step 3)
The recommended first step, after contacting your internal company help desk and the Symantec technical support team, will be to attempt to repair the SEE Hard Disk Operating System (RTOS) if it has been damaged. The use of the recover utility with the /a parameter will not harm the drive or any data it contains.
The command to run this utility is: “recover /a”
WARNING: Do not run the recover program with the “/d” or “/b” parameters until instructed to do so, or there could be the risk of data loss.
Endpoint Encryption Hard Disk Access Utility (Step 4)
Symantec recommends running the Hard Disk Access Utility and attempting to back up the data to a secondary location for safe keeping.
- Boot the system with SEE-FD-Access-7.X.X.iso (The SEE-FD Access Utility is available on request from Symantec Support)
- MS DOS commands like copy and xcopy can then be used to backup data to a network share (by mapping a drive using the NET USE command) or to a USB storage device. This allows data to be backed up and retrieved in case a user experiences a failure within Windows.
Hard Drive Consistency Check (Step 5)
Using the hard drive manufacturer's recommended method, perform a low-level consistency check to verify that the hard drive hardware is operating normally. This is to eliminate the possibility that a mechanical failure is the root cause of the problem. This will usually require a separate boot disk with the manufacturer’s utility on it.
Hard Drive Backup (Step 6)
At this point, a backup of the hard drive should be taken for protection against possible data corruption. Further attempts at recovering data will involve writing to the drive and will increase the risk of data loss. Symantec recommends that Symantec Ghost be used to create a “sector-by-sector” copy of the hard drive.
Symantec Technical Support can provide instructions on performing a sector-by-sector backup of the hard drive.
Run “Recover /d” (Step 7 - Emergency decryption)
The emergency decryption process is used to decrypt a hard drive in the event that normal decryption methods are unsuccessful. The emergency decryption utility is a very powerful tool that will decrypt the entire hard drive when authorized by a Hard Disk administrator. There are some very important points to keep in mind when using this utility:
Never stop the emergency decryption process while in progress!
Do not run the “recover /d” command more than once, even if it did not appear to work.
Be patient! The program may appear to be working slowly or not at all at certain points, but the program is most likely still running.
Do not run either of Recover /D OR /B more than once – it will cause file corruption on the hard drive (making any data unrecoverable).
If Recover /D starts, but does not complete, do not run /B. Recover /B is a variation of /D, not a next step.
Recover /B also performs an identical emergency decryption of a system, but it can do so when the Workstation Encryption Key is not available on the disk by using a backup file extracted from the server.
- This is the Admin credentials for SEE package not system Admin credentials.
- The system is now ready to boot up in normal mode.