This week I had a frustrating incident occur that I’d never wish upon anyone again – my PGP-encrypted laptop hard drive was corrupted! Luckily, I was able to recover the data after hours of research and labor. The whole experience was a painful one and it’s really turned me off from whole-disk encryption as a whole.
The initial problem was caused by one of my least-favorite pieces of software in the world – the Ubuntu graphical installer. I was installing Ubuntu onto an external hard disk while using a Ubuntu LiveCD, and in the process of installing the OS, it overwrote the MBR on my laptop’s hard disk. This seems to be a common pitfall affecting Ubuntu users. Installing GRUB to the first hard disk is apparently the default behavior, according to several posts on the Ubuntu forums. I must have missed the “Advanced” menu option to specify the bootloader location.
Installing GRUB to the MBR wouldn’t be terrible, if not for the fact that PGP Whole Disk Encryption (WDE) also uses a non-standard Windows bootloader – a piece of software called BootGuard that prompts the user for the decryption key to the drive. Because GRUB took over the MBR on my hard drive, BootGuard would no longer execute – and thus the contents of my two partitions were stuck as encrypted with no decryption mechanism on the disk.
Adding further frustration to this issue was the fact that Ubuntu (loaded onto the external HD) wouldn’t even boot up without the laptop’s HD – because the GRUB boot loader was on the internal, encrypted HD, rather than the external HD that held the rest of the operating system.
So, I was stuck with an encrypted Windows installation and a halfway-usable fresh Ubuntu install. What’s a guy to do?
Fortunately, if there’s one thing that our office has, it’s a lot of computers. I was able to use a backup laptop to begin doing some research into recovery options.
PGP has recovery boot disks that can be used to decrypt a drive, so this was the first thing I tried. With my encrypted (and inaccessible) disk in the bay of my laptop, I booted with the PGP recovery CD. Unfortunately, this returned an error – “Internal error accessing disk, 0×80″. A common error, if you do a little googling. Something was wrong in the disk’s partition table or boot record – I would need to try another method.
The first method I found in the PGP Knowledge Base was in Tech Note 807 , which suggests creating a Windows PE recovery disk that supports PGP disk recovery. I followed this path for a while, but had some issues slipstreaming the PGP software into the disk. I gave up eventually after seeing a few other simpler methods suggested.
The simpler recovery method recommended by the members of the PGP forum and the PGP Knowledge Base was to install PGP Desktop on another PC, slave the encrypted drive to that machine, and decrypt the drive using the second PC. I was able to get the PGP Desktop software from our administrator and install it temporarily on a new computer, then cable in my encrypted drive with a IDE to USB adapter. This looked promising at first, with the machine able to recognize the drive and see its (unreadable due to encryption) partitions, but PGP wasn’t able to identify the drive as holding encrypted data on it. After a few tries (and a few hours), I decided to move 0n and try a different vector.
I had seen a post on the support forum suggesting using a Windows disk to rebuild the MBR to a normal Windows state. After doing this, the PGP recovery disc may work, since PGP is prepared to deal with a situation like this (somehow!). By doing this, I realized I would lose the GRUB bootloader info for my Ubuntu installation, so I first pulled that off the drive from within Ubuntu (cat /boot/grub/menu.lst > /home/menu.lst). This would give the UUID of the Linux installation if I ever want to try and get it working and bootable.
After doing that, I decided to just go for it. After installing the encrypted drive into a spare laptop chassis, I put the Windows disc into the CD drive, booted to the recovery console (type R when prompted), and then ran the fixmbr command for the drive. Rebooted, and…. unable to find operating system. This was progress! No more GRUB bootloader!
Finally, I put in the PGP recovery disk again, booted off it, and instead of the error I saw before, it continued on to the recovery console – and it recognized my PGP-encrypted disk!. I typed in my passphrase, and then, very cautiously, chose “D” to decrypt the drive. It very slowly started to decrypt.
The entire decryption process when running from the recovery disk takes quite a long time – on this disk (60GB), it was only about 15% along after 90 minutes. I left the computer plugged in overnight and let it run. When returning to the office this morning – it was done! I put it back into my original laptop chassis (I was using a temporary one while I rebuilt a new installation of Windows on a spare HD in the main chassis), and it booted up as if nothing had ever happened. The whole thing was pretty funny, actually – to see the little guy churning along as if it hadn’t been on the brink of death just 24 hours before.
This entire experience has left a bad taste in my mouth regarding whole disk encryption. It’s very secure, and my experience with PGP prior to this incident had been pretty drama-free, but when it fails, it fails very dramatically. PGP has very sparse documentation about the recovery process, and seems to take the opinion that their software is so reliable that they don’t need to spend much time making recovery a little bit easier. For a user who’s done nothing wrong, they make the barriers to recovery too high – I had the decryption passphrase, and a simple mistake was enough to ruin all my data. I was on the verge of scrapping the drive, suffering an unexpected data loss (which even regular backups can’t protect against perfectly).
I’ll probably avoid PGP WDE in the future, but whole disk encryption as a concept isn’t going away anytime soon. It would be good for developers to keep disaster recovery methods in mind when creating their software!
Tags: disk recovery, encryption, pgp
Thanks for posting about your experience. I’m a support engineer at PGP Corporation, and being immersed in our products daily, I feel very confident in the recovery processes if something goes wrong. However, it’s clear from the above that your experience left much to be desired, so I’d love to chat about it and see if we can improve the availability of the information for others that follow.
I apologize for posting on your blog publicly, but that’s the only way that I could see to get in touch.
I look forward to hearing from you.
Nathan
Hello Nathan,
I would like to find out what if my cd is encrypted with .PGP protection. How can i decrypt it and see my data again.
Thanks
please contact me at the above email address: aua_0786@yahoo.com
It’s kind of an interesting experience you’ve had using PGP, personally I only use PGP on e-mail and never a whole hard drive. But I must say it’s encouraging to see Nathan from the PGP Corporation posts a comment suggesting to help that will maybe help resolve this type of issues for other users.
Thanks for your blog! I will actually be accomplishing this today! I shutdown my computer last night and now I’m having boot issues. Very disheartening.
Good luck, Sam!! I’ve had success with the method above on two separate PC’s.
Interesting, but I had the added complication of my hard drive which was no longer accessible being the only place my private key was stored. Scuppered completely I’m afraid unless someone knows different.
Hi, cool post. I have been wondering about this topic,so thanks for writing.
My windows XP (well microsoft…) in company laptop corrupted and I need to recover the valuable work data by booting though USB flash drive because our dumb IT suggested to reformat the drive, that’s scary.
And now I’m decrypting a 300GB PGP encrypted harddrive using recovery disk and by its speed it’s going to take 3 days that means I don’t have to work for 3 days.
Would PGP kindly improve the decryption speed? drives nowadays are huge.
It’s so annoying to learn that PGP actually does data destruction better than data protection.
I could not recover my MBR with the Windows CD. I did it from ubuntu, with the “ms-sys” command.
See this ling for details:
http://ubuntuforums.org/showthread.php?t=622828
http://linux.softpedia.com/get/System/Boot/ms-sys-7403.shtml
The decryptation took 3 days. Intel core2 duo with 250Gb HDD
mmm… kinda have a problem similar to JJ. I started up my PC, entered my PGP password and then laptop failed to bootup due to a corrupt hal.dll file.
IT guys replaced the drive and handed over my old encrypted drive which I wanted to use to transfer contents of my documents onto my new drive.
However when connecting the old drive with a USB to the laptop, my documents and all other folders usually under your profile can not be seen. First time I actually saw what PGP does and it actually works to my frustration i mght add.
I asked how do i then copy over data from my old encrypted disk. they tried to decrypt but apparently it fails due to ‘bad sectors’ on the drive.
Any suggestions ?
Naeem,
Fortunately I haven’t had any more problems with PGP since this experience (probably cuz I switched to Truecrypt! Ha!)
But any “bad sectors” error sounds like you could have some physical damage. that may also have been the root cause of your corrupted DLL.
Hard to say, really. Did you try the steps from above?
Hi, Jon,
I had a similar situation what you had. I have a SATA HDD which was encrypted by PGP v9.10. There was only one partion (C:) in that disk.
yesterday, for some reason, I removed the HDD from my machine. I’m sure I did everything right( I shut down Windows before I removed the HDD). Some time later, I installed the HDD to my machine again, I saw the message just like your ‘unable to find operating system’.
I got another Windows machine, cabled in my encrypted HDD with an IDE to USB adapter. This windows machine can recognize this HDD as a mass storage device, but windows just doesn’t think there is any partition (I can’t see this disk in the explorer). There is important data in this disk, so I’m very cautious in fixing this problem.
I guess this problem is related to MBR or partition table. but I dont know if the data will be corrupted if I follow your method (running fixmbr with windows recovery disk).
Any suggestions on this?
thank you in advance.
–Wenbo
Wenbo-
I am by no means a drive recovery expert, but my understanding is that modifying the MBR won’t affect your data. It may render it inaccessible, but it is still there physically.
Regarding your situation, it sounds like the MBR is OK, but BootGuard (the PGP’s MBR wrapper) isn’t loading. I would try to use the PGP recovery disk on the drive first, ideally in your original machine.
Hi, Jon,
In your situation, you did fixmbr first, followed by a PGP decryption. In my case, because I don’t know if fixmbr will cause any problem to my encrypted HDD, so I just used a PGP recovery disk to decrypt the HDD. This step finished without any error. I connected the decrypted HDD to a windows machine. Windows recognized this HDD as an unformatted disk. I was really scared.
I tried many data recovery tools, only one of them (Dataexplorer) got some of my data back, most of my data is still missing. I wonder the decryption process wrote some HDD sectors and destroied some data.
I know your aren’t a driver recovery expert, so it’s fine if you can’t help. Thank you for your kind reply anyway.
I seem to have a corrupt MBR myself, actually. Not realizing that PGP WDE’s MBR wrapper was installed, I mindlessly ran FIXMBR. Now I’m in a bit of a problem …
Casey,
From what I understand, you’re now in a state where you can use the PGP recovery disk to reinstall the wrapper. Or, decrypt the drive using the recovery disk and reinstall the WDE.
Wenbo,
Sounds like you may have had a damaged disk. Sorry that you weren’t able to get everything back but hopefully you got something!
Hi, I think my problem is similar. Basically, I have a work laptop with PGP on it. There is a data partition D, and OS C.
I wanted to dual boot winxp (on C) and install win7 on D. So, I installed win7 on partition D, and once it was finished, I could not log into my winxp installation and no longer see the secureboot login asking for my passphrase. However, I can log into Win7 successfully.
Any ideas? The problem is that I’m not sure which version of PGP is on it, but I know it’s probably from 2008 or so since that’s when we bought the laptop. Would it be possible to install PGP on win7 and do something in order to allow me to boot into winxp again? Can I alter the boot.cfg?
Thanks
HI Jon.
My issue is that its only the directories under my username in documents n settings that i cant ‘see’ when connecting the drive to my machine.The It dept tried to decrypt but it kept on bombing out and never finishes the decryption process. They didnt run the fixmbr before trying to decrypt. Do you suggest trying that ?