Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment,  Windows XP

Scripting PGP Whole Disk Encryption On A Mac (or Windows, really)

The PGP Whole Disk Encryption (WDE) tools have a command line interface for both OS X and Windows. The options are mostly the same across the two. We’ll focus on two for the purposes of this little article. The first is –list-user and the second is –change-passphrase, although there are a number of other options. A general breakdown of the options include the following:

  • –enum – show the disks available
  • –disk-status – show the encryption status disk indicated with the –disk option
  • –stop – stop the encryption or decryption process of a –disk using –passphrase
  • –instrument – Install BootGuard using the –disk option followed by the number of the disk
  • –uninstrument – Remove BootGuard using the –disk option followed by the number of the disk
  • –add-user – Add a PGP user (include a user name followed by –passphrase and the passphrase, as well as –disk and the number of the disk)
  • –change-passphrase – Change the password on –disk for user specified with -u on –domain with the -i to make it interactive (with an option to include a –recovery-token if you don’t have the password)
  • –list-user – List the PGP users with access to a –disk
  • –encrypt – Manually enable encryption on a –disk using a –passphrase
  • –decrypt – Disable encryption by decrypting the disk at –disk using a –passphrase
  • –recover – allow a user to recover a –disk when BootGuard is unavailable using the –passphrase

symc_pgp_wholedisk_0So let’s put these in motion. First, let’s just look at all the disks available using the –enum option:

pgpwde --enum

OK, so disk 0 is my only volume and it’s bootable. Nothing has been encrypted yet. So let’s confirm by looking at –disk-status:

pgpwde --disk-status --disk 0

Now, let’s see who’s got access to that disk:

pgpwde --list-user --disk 0

Then, let’s enable BootGuard on our volume:

pgpwde --instrument --disk 0

And then add user cedge to be able to unlock that volume, with a passphrase of krypted:

pgpwde --add-user cedge --passphrase krypted --disk 0

And then let’s encrypt it:

pgpwde --encrypt --passphrase krypted --disk 0

And finally, to change the password of that cedge account to something more secure:

pgpwde --change-passphrase --disk 0 -u cedge --passphrase krypted --new-passphrase "!Ab@nK$Ru13z"

To make scripting this a bit easier, you can also choose to skip the whole –passphrase option (since you might not know the current passphrase since they’re not typically reversible) you can use the –recovery-token option (assuming you have a token).

Note: No passwords were hurt in the writing of this article.