FWeston
asked on
PGP WDE 9.6 periodically won't boot
We have a bunch of laptops that are using PGP WDE 9.6. The last batch of laptops we purchased were Dell Latitude E6410s and when we load WDE on these, in about 85% of cases it works fine, in 10% of cases, after entering the password into PGP BootGuard it periodically does not boot but works fine after rebooting and trying again, and in about 5% of cases it refuses to proceed past BootGuard no matter what we do (normal boot, recovery CD, etc). The only way I have found to boot a system when it gets to this point is to use the recovery CD to decrypt the hard drive.
The problem with this approach is it takes all day, and the employee is meanwhile without a computer. I've had this problem with 2 out of 30 systems, and both times it worked fine long enough to get deployed to the user, but then stopped booting completely a few days later.
I no longer have support from PGP, and they've told me that if I want to renew my support I would need to purchase all new licenses ($20k+), which is not an option. I looked through the support forums, but most of the threads there don't end up with any sort of resolution.
The problem with this approach is it takes all day, and the employee is meanwhile without a computer. I've had this problem with 2 out of 30 systems, and both times it worked fine long enough to get deployed to the user, but then stopped booting completely a few days later.
I no longer have support from PGP, and they've told me that if I want to renew my support I would need to purchase all new licenses ($20k+), which is not an option. I looked through the support forums, but most of the threads there don't end up with any sort of resolution.
or maybe we do not want full HDD encryption but only data partition or even go for file container type such as Truecrypt (it does not have enterprise support such as central mgmt though) but user need to store working data in that store. Tough though if we cannot eliminate the remanence totally when using third party application for processing e.g. they can dump to temp application folder normally installed in the system drive (maybe installed it in data partition etc). not full proof solution but depends on risk appetite
ASKER
I don't think this could be a hardware problem because all of the systems are brand new. Likewise I don't think it could be software because only 2 out of the 30 systems are affected and they are all identical.
When I decrypt the systems that have trouble booting using a recovery disk, they boot and work just fine once the drive is no longer encrypted.
When I decrypt the systems that have trouble booting using a recovery disk, they boot and work just fine once the drive is no longer encrypted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When the issue occurs after entering the passphrase the machine just sits at the bootguard screen and doesn't do anything else. I do not know if there are logs stored anywhere. Next time it occurs I will try swapping to another machine to see if it boots. For now I will award points since I no longer have a faulty machine available to try any of the troubleshooting steps.
ASKER
Unable to test at this time.
I have ran into the exact same problem with some new Dell E6410 laptops and PGP 9.6. 2 out of 11 had a problem. I found updating the BIOS from version 4 to version 7 fixed the problem. Might be worth a try before doing further troubleshooting of the hard drives.
ideally the data should be backup (https://pgp.custhelp.com/app/answers/detail/a_id/693) as often since we know WDE is not sure 100% guarantee esp when h/w or s/w (not necessarily PGP) can unexpectedly not performed as expected.
sometimes, h/w provider may have specific recovery partition that may hinders WDE providers and even BIOS support for the smartcard/token stack support at preboot can be another consideration. for s/w, there can be third party defragment solution that shifted critical files (stored in the HDD Sector) and that can contribute to further damage - https://pgp.custhelp.com/app/answers/detail/a_id/495
nonetheless, they should already be sorted out before deployment....for the long process to recover the systems, this is expected risk to take if all the above is taken into consideration. Minimally if we stay with this approach we will want to avoid h/w failure (e.g. use new (or recent) HDD and not "over-reused" and data is constantly backup by users. Or maybe think of SSD but cna be quite expensive
I am thinking to speed up the process it would be faster to clone back (assume no h/w failure) the system partition and mbr while leaving the data partition intact (which typically is the culprit for delay). the challenge is if using cloning we are assuming the protected of the key file are the same but it may changed if using different password but it may be ok since it is the data which we are concerned and should be unique to each user - probably had to seek vendor advice how that can be done - not familiar with PGP capability for customisation.
in all, have separate partition (System and data) and protect them independently as I see that recovering a system partition may be faster.
I do not see changing WDE s/w will help operationally though ... just some thoughts