Reply
Occasional Advisor
Roberto
Posts: 11
Registered: ‎Wed 23-Dec-2009
0
Accepted Solution

Remove Encryption - Safeguard Enterprise

Hi guys!!

 

I have the following scenario: a Windows Xp Professional SP3 with the SGN client installed. I've made a policy for encryption of the c: and d: volumes. The encryption was set to use the machine key.

 

Question: I would like to know how we remove the encryption of the volumes. I've tried to change the policy to "No Encryption" but it didn't change anything. Is there any tool for booting and remove the encryption like in Safeguard Easy?

 

I really appreciate any help!!

 

Happy new year!!

 

Roberto

VIP
DSchwartzberg
Posts: 138
Registered: ‎Thu 10-Dec-2009

Re: Remove Encryption - Safeguard Enterprise

Hi Roberto,

 

Are you trying to access the encrypted drive for data recovery to re-image or do you want to keep the SGN Client installed but decrypt the drive?

 

  • To perform the former, it's as simple as plugging the drive into an already encrypted SGN Client, then assign yourself the BOOT_<machine_name> key. After you sync up you should be able to see the encrypted drive, if not, then logout and login to refresh your key-ring.
  • To perform the latter, it requires 2 policies to be set and 1 user action from the encrypted device.
  1. Make sure that in the SGN MC the Device Protection policy item that the 'User may decrypt volume' is set to 'Yes'. If that is not already set to 'Yes', then you will need to change it to 'Yes' and perform a sync at the client you want to decrypt. You can run c:\>SGMCmdIntn.exe -s if you like.
  2. When the sync is done, go back into the SGN MC and to the Device Protection policy item. Now change the 'Media encryption mode' policy to 'No encryption'. Sync on the SGN Client again.
  3. Assuming this was all done properly and the sync completed successfully, you should then go to the Properties of your C: drive. There will be an Encryption tab.
  4. Within the Encryption tab settings you should see an option labelled 'Media encrypted' with a checkbox enabled. Uncheck the box, click Apply and watch your drive decrypt.

 

In the event that you are performing data recovery and neither of these suggestion work for you, please take a look through the Recovery Document found in this KB http://www.sophos.com/support/knowledgebase/article/108156.html.

 

Let us know your results so others can benefit from your experiences. Thanks in advance.

If a response provided a solution, please mark your question as solved. If others are helpful, show your appreciation by giving them Kudos.

Best Regards,

David A. Schwartzberg, CISSP
Security+, Network+, MCP
SG Enterprise Certified
Sr. Security Engineer - Team Lead

Follow me on Twitter @DSchwartzberg

For our other self-service and peer-to-peer online support systems:
Occasional Advisor
Roberto
Posts: 11
Registered: ‎Wed 23-Dec-2009
0

Re: Remove Encryption - Safeguard Enterprise

Hi David! I would like to thank you for your attention, in advance. I've tried the second solution (the first one I've already tried) and it worked very well in my virtual lab !!!! (Thank you for the tips!) But I need to test at my client network. He has 100 licences of the Management Interface plus 100 licenses of the Device Encryption. He decided to don't use the POA, so after the notebook power on, it goes directly for the Windows logon. He uses his notebooks with the c:\ volume encrypted (system) and a e:\ volume (users files) also encrypted. He said that is enough for him. We decided to use the Machine Key for encryption to simplify his management. As we are having troubles with some hardware (we are having some issues with Dell notebooks), sometimes he need to slave a hard drive to copy the users personal files (the e:\ volume), because its common the Windows to crash. My client also have some Safeguard Easy licenses and he asked me if there is any solution , like in easy, to boot on through a BOOT CD and remove the encryption (I hope that explains my post). Its possible? The Challenge Response process to obtain the access to the disk is great, but it will be very interesting if it is also possible if we could export the key through the Management Console, add this key to the boot CD and than remove the encryption. I would thank you for your fast support and sorry for my bad English. p.s.: I'll test at my clients environment and I'll post the feedback!! Best Regards, Roberto Bruno Neto Security+, MCSA
VIP
DSchwartzberg
Posts: 138
Registered: ‎Thu 10-Dec-2009
0

Re: Remove Encryption - Safeguard Enterprise

Thank you Roberto, my pleasure to help.


 


Roberto wrote:
  My client also have some Safeguard Easy licenses and he asked me if there is any solution , like in easy, to boot on through a BOOT CD and remove the encryption (I hope that explains my post). Its possible?


 

 

While the SGE decryption option is handy when needing to perform data recovery, when it comes to SGN it really isn't needed anymore. Unless you have another reason for removing the encryption which would be very helpful if you posted so we can give you the best response.

 

There are a few ways to perform data recovery with SGN. If you use driving slaving then that method will give you quick access to the protected data without removing the protection. Two benefits are saved time and maintaining the protection.

 

Another way to recovry data is using the WinPE 2.0 disc with the SGN drivers and libraries. Since you metioned you are looking for another method than the C/R to access the encrypted disk try using the WinPE recovery disc with POA authentication. Take a look at this KB Article for details on how to execute the recovery process. KBA #108555

 

What that KBA overlooks is the situaion when POA is disabled. During the boot process, when the display reads that the auto user is logging in or please wait for auto logon hit the F2 key. That will bring POA up and then login.

 

Happy holidays!!!

 

 

 

 

 

If a response provided a solution, please mark your question as solved. If others are helpful, show your appreciation by giving them Kudos.

Best Regards,

David A. Schwartzberg, CISSP
Security+, Network+, MCP
SG Enterprise Certified
Sr. Security Engineer - Team Lead

Follow me on Twitter @DSchwartzberg

For our other self-service and peer-to-peer online support systems:
Occasional Visitor
prasad_bhave
Posts: 1
Registered: ‎Tue 19-Jan-2010
0

Re: Remove Encryption - Safeguard Enterprise

David,

 

I have a smilar situation. I have SafeGuard Enterprise installed on my laptop (about 2 weeks back). However, my windows got corrupted, and since the drive is encrypted, I am unable to recover any data from the drive. For now my IT support group has provided me with a new hard-drive. Can you please tell me how I can go about recovering the data? The IT support group has installed the SafeGuard Enterprise in my laptop, however when i log into it using my corporate username and password, I am still not allowed to access the old hard drive.

 

Please help.

 

Thanks a lot!

Prasad Bhave

VIP
DSchwartzberg
Posts: 138
Registered: ‎Thu 10-Dec-2009
0

Re: Remove Encryption - Safeguard Enterprise

 


prasad_bhave wrote:

David,

 

I have a smilar situation. I have SafeGuard Enterprise installed on my laptop (about 2 weeks back). However, my windows got corrupted, and since the drive is encrypted, I am unable to recover any data from the drive. For now my IT support group has provided me with a new hard-drive. Can you please tell me how I can go about recovering the data? The IT support group has installed the SafeGuard Enterprise in my laptop, however when i log into it using my corporate username and password, I am still not allowed to access the old hard drive.

 

Please help.

 

Thanks a lot!

Prasad Bhave


 

 

Hi Prasad,

 

If I am reading your post correctly, then you are a non-IT staff employee at your company. It also sounds like you had an issue with your hard drive, IT gave you a new one and you want to read the data from the old encrypted drive. Correct?

 

Your IT Support group needs to give you access to the BOOT_<machine.name> key so you can read the encrypted drive. If you do not have access to the Management Center there isn't much more I can guide you to do other than to contact your IT Support Group and have them read this discussion.

 

Thanks for your question and I hope you are able to get to your data with the help of your IT Support Group.

If a response provided a solution, please mark your question as solved. If others are helpful, show your appreciation by giving them Kudos.

Best Regards,

David A. Schwartzberg, CISSP
Security+, Network+, MCP
SG Enterprise Certified
Sr. Security Engineer - Team Lead

Follow me on Twitter @DSchwartzberg

For our other self-service and peer-to-peer online support systems:
VIP
ssij
Posts: 77
Registered: ‎Fri 12-Mar-2010
0

Re: Remove Encryption - Safeguard Enterprise

David,

 

Is it possible to push out decryption via policy, without user intervention (much like you can push out encryption this way)?

VIP
DSchwartzberg
Posts: 138
Registered: ‎Thu 10-Dec-2009
0

Re: Remove Encryption - Safeguard Enterprise

HI ssij,

 

Thank you for stopping by the SophosTalk community forum and posting your question.

 

You can configure the existing security policies or create a separate policy to decrypt a volume. Three things need to happen in order to get the volume decrypting:

 

  1. A Device Protection policy needs to be configured for the User to be able to decrypt, make sure it's synch'ed to the User before Step 2.
  2. Change the same Device Protection encryption policy from 'Volume Based' to 'No encryption'. Synch this up to the Computer before Step 3.
  3. On the workstation you want to decrypt, go to My Computer which displays the drive letters and icons. Right-click on the volume you want to decrypt. Click on the 'Encryption' tab added by SGN. The 'Media encrypted' check box should now be enabled. Unselect the checkbox, click 'OK' or 'Apply' and watch the drive decrypt.

The important components to note here are that you are first enabling a User to remove encryption without removing the SGN Client software. This is a User based policy. Second, changing the policy to 'No encryption' is a Computer Based policy which can be applied to Computer and Users in a 'Decryption' group. Lastly, is the action taken to remove the encryption. If your question is asking to be able to change a security policy and without any User action to remove encryption? That is lower security and increases an organization's risk to be non-compliant.

 

I don't believe that anyone reading this post would want to come into work one day and hear that everyone's computers are decrypting or have already been decrypted. Yikes!! After you change the security policy back to 'Volume based' encryption, make sure you are checking the classified ads for a new career.

If a response provided a solution, please mark your question as solved. If others are helpful, show your appreciation by giving them Kudos.

Best Regards,

David A. Schwartzberg, CISSP
Security+, Network+, MCP
SG Enterprise Certified
Sr. Security Engineer - Team Lead

Follow me on Twitter @DSchwartzberg

For our other self-service and peer-to-peer online support systems:
VIP
ssij
Posts: 77
Registered: ‎Fri 12-Mar-2010
0

Re: Remove Encryption - Safeguard Enterprise

 


DSchwartzberg wrote:
On the workstation you want to decrypt, go to My Computer which displays the drive letters and icons. Right-click on the volume you want to decrypt. Click on the 'Encryption' tab added by SGN. The 'Media encrypted' check box should now be enabled. Unselect the checkbox, click 'OK' or 'Apply' and watch the drive decrypt.

 

Dave,

 

Step 3 in your explanation has to be done by either the user or administrator while they are physically sitting in front of the machine.  What I was curious about was whether or not this can be done by the server without any intervention by a user or administrator.

 

VIP
DSchwartzberg
Posts: 138
Registered: ‎Thu 10-Dec-2009
0

Re: Remove Encryption - Safeguard Enterprise

Hi ssij,

 

SGN is designed to only allow decryption with some user or administrative action. If you need to reimage a device, then there is no need to decrypt beforehand. Actually, it's most secure to leave the encryption and reimage on top of the disk, followed by encryption. If you are decrypting but want to leave the SGN Client on the device, then the method described previously is to best course of action.

 

Can you please help me understand why you need to remove the encryption?

If a response provided a solution, please mark your question as solved. If others are helpful, show your appreciation by giving them Kudos.

Best Regards,

David A. Schwartzberg, CISSP
Security+, Network+, MCP
SG Enterprise Certified
Sr. Security Engineer - Team Lead

Follow me on Twitter @DSchwartzberg

For our other self-service and peer-to-peer online support systems: