Security is always a concern for organizations especially when remote sites are involved. One of the ways this can be addressed is by using whole disk encryption (WDE). The big benefit of WDE is that prevents someone from gaining unauthorized access to sensitive data by pulling the hard drive out of a machine. For a program such as PGP, one item that comes with WDE is the something bootguard, which forces a user to enter in credentials to unlock the disk. For a network administrator, this can prove to be a challenge because it restricts network connectivity and can prevent access to the machine. However, PGP has an option to configure a bypass to get past the bootguard.
Scripting a PGP Bypass Script
The following below can be used in a batch file to create a bypass. Replace the word password with an administrative passphrase.
cd
cd "Program Files (x86)PGP CorporationPGP Desktop"
PGPwde.exe --add-bypass --admin-passphrase "password"
PAUSE
Note: The PAUSE at the end is to see whether the command successfully executed, otherwise the command prompt will close immediately after the command has been executed.
Once the bypass has been added, a Bypass user active will appear under the list of PGP users.
As every organization’s security requirements are different, it is important take caution when saving any password in a plain text or whether the script being created can be accessed by other users.
In some cases, it might make sense to create a New Passphrase User that has access to bypass PGP, but does not have access to log on to the machine.
This scenario may apply if you have users at a remote site that assist with logging into something like a remote domain controller on a regular basis, but should not have access to log on to the machine.
If your user does not have access to use the bypass script, an error 12198 will appear.
Prompting for a Password: PGP Bypass Script
Via a post by one of my colleagues, you can use the following code to prompt you for a password so a password will not be saved in a batch file as plaintext.
@ECHO OFF
SET /p PASSPHRASE="Enter Passphrase: " %=%
cd /d "%ProgramFiles(x86)%PGP CorporationPGP Desktop"
PGPwde.exe --add-bypass --admin-passphrase "%PASSPHRASE%"
PAUSE
Here is a screenshot showing what text to expect if the following set of commands is executed.
Additional Resources:
If you would like to find out more about Symantec PGP, visit https://www.symantec.com/whole-disk-encryption.
Symantec’s documentation on creating a bypass: http://www.symantec.com/business/support/index?page=content&id=HOWTO42006