The PGP Whole Disk Encryption (WDE) tools have a command line interface for both OS X and Windows. The options are mostly the same across the two. We’ll focus on two for the purposes of this little article. The first is –list-user and the second is –change-passphrase, although there are a number of other options. A general breakdown of the options include the following:
- –enum – show the disks available
- –disk-status – show the encryption status disk indicated with the –disk option
- –stop – stop the encryption or decryption process of a –disk using –passphrase
- –instrument – Install BootGuard using the –disk option followed by the number of the disk
- –uninstrument – Remove BootGuard using the –disk option followed by the number of the disk
- –add-user – Add a PGP user (include a user name followed by –passphrase and the passphrase, as well as –disk and the number of the disk)
- –change-passphrase – Change the password on –disk for user specified with -u on –domain with the -i to make it interactive (with an option to include a –recovery-token if you don’t have the password)
- –list-user – List the PGP users with access to a –disk
- –encrypt – Manually enable encryption on a –disk using a –passphrase
- –decrypt – Disable encryption by decrypting the disk at –disk using a –passphrase
- –recover – allow a user to recover a –disk when BootGuard is unavailable using the –passphrase
So let’s put these in motion. First, let’s just look at all the disks available using the –enum option:
pgpwde --enum
OK, so disk 0 is my only volume and it’s bootable. Nothing has been encrypted yet. So let’s confirm by looking at –disk-status:
pgpwde --disk-status --disk 0
Now, let’s see who’s got access to that disk:
pgpwde --list-user --disk 0
Then, let’s enable BootGuard on our volume:
pgpwde --instrument --disk 0
And then add user cedge to be able to unlock that volume, with a passphrase of krypted:
pgpwde --add-user cedge --passphrase krypted --disk 0
And then let’s encrypt it:
pgpwde --encrypt --passphrase krypted --disk 0
And finally, to change the password of that cedge account to something more secure:
pgpwde --change-passphrase --disk 0 -u cedge --passphrase krypted --new-passphrase "!Ab@nK$Ru13z"
To make scripting this a bit easier, you can also choose to skip the whole –passphrase option (since you might not know the current passphrase since they’re not typically reversible) you can use the –recovery-token option (assuming you have a token).
Note: No passwords were hurt in the writing of this article.