If an Additional Decryption Key (ADK) is added to the PGP Encryption Server (Symantec Encryption Management Server), the ADK will automatically be added to the list of users authorized to manage the disk.

This means that the ADK can be used to authenticate to the disk and decrypt it.

For more information on ADK Best Practices and Guidelines, see the following KB:

153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server (Symantec Encryption Management Server)

• Symantec Encryption Desktop drive encryption 10.5 and above.
• Symantec Encryption Management Server 10.5 and above.

To authenticate to a disk or decrypt a disk using an ADK or any other key such as the Disk Administrator Key, PGP Encryption Desktop must be installed.

In practice, therefore, this means that the encrypted disk must be attached as a secondary disk to a machine running PGP Encryption Desktop.

Decrypting disks is not recommended because there is always a risk that the disk is damaged. This may cause decryption to fail part way through the decryption process and the disk may become unusable.

A safer option is to authenticate to the disk and copy the required files from it. Once you are confident you have recovered all the necessary files you can either decrypt the disk or simply replace it.

To authenticate to the disk:

1. Import the ADK keypair (Private and Public key) to Encryption Desktop. Ensure that you know the passphrase of the key.
2. Attach the encrypted disk to the computer.
3. If you are prompted for a passphrase, enter the passphrase of the ADK. You can now access the disk with File Explorer and copy files from it.
4. If you are not prompted for a passphrase, authenticate as follows:

• Open a command prompt.
• Change directory:

cd "\Program Files (x86)\PGP Corporation\PGP Desktop"

• Check which number disk is the encrypted one:

pgpwde --enum

• Confirm that the ADK is listed as a user of the disk:

pgpwde --list-users

• Authenticate to the disk, assuming disk 1 is the disk encrypted to the ADK, the Key ID of the ADK is 0x12A34BCD and the passphrase of the ADK is mypassword:

pgpwde --auth -d 1 --keyid 0x12A34BCD -p mypassword
Request sent to Authenticate disk was successful

To decrypt the disk:

1. Open PGP Encryption Desktop.
2. Click PGP Disk and select Encrypt Disk or Partition.
3. Select the disk to decrypt and click the Decrypt button.
4. When prompted, type the passphrase for the ADK.