Symantec PGP WDE Setting up Bypass Script for Remote Machines

IT

Symantec PGP WDE Setting up Bypass Script for Remote Machines

Security is always a concern for organizations especially when remote sites are involved. One of the ways this can be addressed is by using whole disk encryption (WDE). The big benefit of WDE is that prevents someone from gaining unauthorized access to sensitive data by pulling the hard drive out of a machine. For a program such as PGP, one item that comes with WDE is the something bootguard, which forces a user to enter in credentials to unlock the disk. For a network administrator, this can prove to be a challenge because it restricts network connectivity and can prevent access to the machine. However, PGP has an option to configure a bypass to get past the bootguard.

Scripting a PGP Bypass Script

The following below can be used in a batch file to create a bypass. Replace the word password with an administrative passphrase.

cd
cd "Program Files (x86)PGP CorporationPGP Desktop"
PGPwde.exe --add-bypass --admin-passphrase "password"
PAUSE

Note: The PAUSE at the end is to see whether the command successfully executed, otherwise the command prompt will close immediately after the command has been executed.

Once the bypass has been added, a Bypass user active will appear under the list of PGP users. 

As every organization’s security requirements are different, it is important take caution when saving any password in a plain text or whether the script being created can be accessed by other users.

In some cases, it might make sense to create a New Passphrase User that has access to bypass PGP, but does not have access to log on to the machine. 

This scenario may apply if you have users at a remote site that assist with logging into something like a remote domain controller on a regular basis, but should not have access to log on to the machine.

If your user does not have access to use the bypass script, an error 12198 will appear.

Prompting for a Password: PGP Bypass Script

Via a post by one of my colleagues, you can use the following code to prompt you for a password so a password will not be saved in a batch file as plaintext.

@ECHO OFF
SET /p PASSPHRASE="Enter Passphrase: " %=%
cd /d "%ProgramFiles(x86)%PGP CorporationPGP Desktop"
PGPwde.exe --add-bypass --admin-passphrase "%PASSPHRASE%"
PAUSE

Here is a screenshot showing what text to expect if the following set of commands is executed.

Additional Resources:

If you would like to find out more about Symantec PGP, visit https://www.symantec.com/whole-disk-encryption. 

Symantec’s documentation on creating a bypass: http://www.symantec.com/business/support/index?page=content&id=HOWTO42006

More About the Author

Ideen Jahanshahi

Solutions Architect
The InterWorks Approach to Great Consulting: Part 3 If you’ve been following along, you know that this blog miniseries is all about dissecting the shared traits that some of my most ...
The InterWorks Approach to Great Consulting: Part 2 At InterWorks, we pride ourselves on being unique and having a different take on work than other companies out there. A huge part of ...

See more from this author →

Subscribe to our newsletter

  • I understand that InterWorks will use the data provided for the purpose of communication and the administration my request. InterWorks will never disclose or sell any personal data except where required to do so by law. Finally, I understand that future communications related topics and events may be sent from InterWorks, but I can opt-out at any time.
  • This field is for validation purposes and should be left unchanged.

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK

×

Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Germany
Geschäftsführer: Mel Stephenson

Kontaktaufnahme: markus@interworks.eu
Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072