Tiny Deathstars of Foulness

The PGP Whole Disk Encryption (WDE) tools have a command line interface for both OS X and Windows. The options are mostly the same across the two. We’ll focus on two for the purposes of this little article. The first is –list-user and the second is –change-passphrase, although there are a number of other options. A general breakdown of the options include the following:
  • –enum – show the disks available
  • –disk-status – show the encryption status disk indicated with the –disk option
  • –stop – stop the encryption or decryption process of a –disk using –passphrase
  • –instrument – Install BootGuard using the –disk option followed by the number of the disk
  • –uninstrument – Remove BootGuard using the –disk option followed by the number of the disk
  • –add-user – Add a PGP user (include a user name followed by –passphrase and the passphrase, as well as –disk and the number of the disk)
  • –change-passphrase – Change the password on –disk for user specified with -u on –domain with the -i to make it interactive (with an option to include a –recovery-token if you don’t have the password)
  • –list-user – List the PGP users with access to a –disk
  • –encrypt – Manually enable encryption on a –disk using a –passphrase
  • –decrypt – Disable encryption by decrypting the disk at –disk using a –passphrase
  • –recover – allow a user to recover a –disk when BootGuard is unavailable using the –passphrase
symc_pgp_wholedisk_0So let’s put these in motion.¬†First, let’s just look at all the disks available using the –enum option: pgpwde --enum OK, so disk 0 is my only volume and it’s bootable. Nothing has been encrypted yet. So let’s confirm by looking at –disk-status: pgpwde --disk-status --disk 0 Now, let’s see who’s got access to that disk: pgpwde --list-user --disk 0 Then, let’s enable BootGuard on our volume: pgpwde --instrument --disk 0 And then add user cedge to be able to unlock that volume, with a passphrase of krypted: pgpwde --add-user cedge --passphrase krypted --disk 0 And then let’s encrypt it: pgpwde --encrypt --passphrase krypted --disk 0 And finally, to change the password of that cedge account to something more secure: pgpwde --change-passphrase --disk 0 -u cedge --passphrase krypted --new-passphrase "!Ab@nK$Ru13z" To make scripting this a bit easier, you can also choose to skip the whole –passphrase option (since you might not know the current passphrase since they’re not typically reversible) you can use the –recovery-token option (assuming you have a token). Note: No passwords were hurt in the writing of this article.

February 14th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Windows XP

Tags: , , , , ,