Symantec Encryption Product Community

How do you disable OR (NOTE --OR--) the program from creating a recovery token that could be accessed by a third party in the event of a lost laptop?

In essence, we want the pass phrase soley to control per se.

IF not available in the above product which product would you be able to disable the recovery token??

This token scheme is A SECURITY RISK.

Best regards.

-Tim

RE:

Symantec Encryption Desktop - Corporate version 10.3.1 
Build 13100
OS: Windows 8.1

You can prevent Whole Disk Recovery Tokens from being created on a managed client by simply unchecking "Enable Whole Disk Recovery Tokens" in the policy your user receives.  By default this is unchecked.

Please note that a Whole Disk Recovery Token is simply a complex 28 character passphrase, which is likely longer than your actual user passphrases.  It is not a security risk any more than any other password is.

Where in the program is this option? I didn't see it.

This is for : Symantec Encryption Desktop - Corporate version 10.3.1  for windows 8 ??????

Would I have to re-encrypt the drive?

Please respond to EACH question.

HELP?????????????????????????????????????????????????????????

If this is a *managed* client, it is reporting to a Symantec Encryption Management Server.  In the server interface is where you can change the policy to control this.  Changing this option would not require re-encrypting the disk.

However, it sounds like you may be using a stand-alone (unmanaged) client without a server to manage it.  In stand-alone configuration, the whole disk recovery token is always created. 

This is a security risk is it not? If the laptop lands in the hands of a third party, they just have to come to Symantec via the ID at the passphrase boot window then the third party has access to the encryption. Is this not true? why or why not?

Defeats the purpose of the entire encrytion in the first place it seems.

Hi Aegis,

This WDRT is NOT sent to Symantec, but to your company server (SEMS) if it exists.
It is a business decision of your company to have this option enabled or disabled.
Many companies like to have an option to regain access to encrypted machines when their users don't remember their passphrases anymore.

There is also possible to define Local Self Recovery Security Questions to regain access to the machine.
See for instance: Cannot Create Local Self Recovery Security Questions - PGP WDE - TECH149803.

If users don't have any of these options configured, in the event of forgetting passphrases (specially after vacations...) there is no way to access again the contents of encrypted disks.

In a similar way it is possible to lock the drive after a certain number of incorrect attempts, but as soon as the drive is locked there is no way to access again the contents of encrypted disks.

The balance should be found according to particular needs of each environment.
The decision is up to the administrator of the environment.


Support won't able able to help regaining access to locked disk neither to encrypted contents because there is simply no way to do it.


It is you to define if it represents a risk or not.
There is the risk of having the information dropping in wrong hands, but there is also the risk of loosing access to data. Which is more important to you?

Which one is easier to guess? Your passphrase or a machine-generated token?

Hope this helps,
dcats

There is also possible to define Local Self Recovery Security Questions to regain access to the machine.
See for instance: Cannot Create Local Self Recovery Security Questions - PGP WDE - TECH149803.

We take this as, and after reading the above tech "report", UNLESS specifically defined by the end user, this option IS NOT enabled?

In a similar way it is possible to lock the drive after a certain number of incorrect attempts, but as soon as the drive is locked there is no way to access again the contents of encrypted disks.

Do you have to have the Encryption Managment Server addition to do this?

Hi Aegis,

Correct, these "Local Self Recovery Security Questions" are only present if configured by the user.
They can be defined in the SED client, PGP Disk tab > select the disk and click the button "Add Security Questions...", otherwise they won't be there.

The WDRT displayed before the encryption start should be kept in a safe, to access the disk later in case you have issues with passphrase.

I'm trying to find out if this option of locking the drive after a certain number of incorrect login attempts is also available or not for standalone clients.

Rgs,
dcats

Please see:

https://www-secure.symantec.com/connect/forums/asap-symantec-encryption-server-installation-asap

How do you install this? and the questions posted above.

Hi Aegis,

Apologies for the delay.
I attempted a manual "workaround", but it was not successful.
I haven't found a way to configure the lock of the hard drive for standalone clients. I guess it was not made to work that way.

Rgs,
dcats

Hi Aegis,

The questions were answered in that thread you posted.
Regarding the installation, you will need to take some time to plan it.

For instance:

Check the Certified Hardware List (in the release notes).
Symantec Encryption Management Server 3.3.2 Release Notes - DOC7056

Symantec Encryption Management Server Certified Hardware List* - TECH149007

* If you install in VMWare ESXi, you'll need to install the VMWare tools
Installing Native VMware ESX/ESXi/vSphere Tools on Symantec Encryption Management Server - TECH176852


Plan the deployment: Symantec Encryption Management Server 3.3.2 Installation Guide - DOC7067

And then: Symantec Encryption Management Server 3.3.2 Administrator's Guide - DOC7069


Rgs,
dcats

I responded here:

https://www-secure.symantec.com/connect/forums/asap-symantec-encryption-server-installation-asap