Best practices for manually decrypting an encrypted hard disk with Drive Encryption

Best practices for manually decrypting an encrypted hard disk with Drive Encryption


Environment

McAfee Drive Encryption (DE) 7.1.x

For details of DE 7.1.x supported environments, see KB79422.

Summary

Sometimes a fully encrypted disk cannot be decrypted using DETech (DE), or during the encryption/decryption process. The problem is often related to the hard-disk having one or more bad sectors that cause DE to report an error. 

NOTE: This article does not apply to Opal encrypted drives.

This article aids in providing advice when the computer:
  • Cannot be decrypted using the Remove DE function on the DETech recovery tool.
  • Displays an error about corrupted sectors.
  • Displays an error about broken MBR/PBFS/SBFS in which emergency boot cannot fix the issue.

Best practices for manually decrypting an encrypted hard disk:
  • The product specialists always recommend trying to remove DE before trying a force decryption. A force decryption is the last effort method to decrypt the hard drive.
  • The product specialists recommend that you defragment and run chkdsk before enabling DE Full Disk Encryption (FDE). These actions are a best practice before encrypting or decrypting a hard disk because they can help avoid subsequent errors and potential loss of data.
  • For critical data, clone your hard disk to an identical piece of hardware. A sector by sector clone with no compression must be used to retain an exact replica of the disk.
    NOTE: Also known as taking a RAW image. 
  • Ensure that you can decrypt the data in the Workspace by loading the encrypted sectors. After you have verified that you can decrypt the disk, force decrypt the data by providing the start sector number and the range. Record the disk information being used in case you need to contact Technical Support and if you have to troubleshoot.
IMPORTANT:
  • McAfee is not responsible for data loss from a Force Decryption. The product team recommends that you always perform a sector level backup (RAW/CLONE) of the hard drive to avoid data loss. Examples of products to use for sector level backup are Paragon, Acronis, or Ghost.
     
    WARNING: If a sector level backup is not created and the process is unsuccessful, permanent loss of the data is possible.
      
  • The advice in this article requires a trained McAfee Encryption engineer. It is important for the engineer to specify the correct Start and End sectors to fully recover the data. When needed, contact Technical Support for assistance.

    To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
    • If you are a registered user, type your User Id and Password, and then click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Solution

Overview of the Force Decryption procedure

It is not the intention of this article to provide detailed steps because the advice in this article requires a trained McAfee Encryption engineer. It is important for the engineer to specify the correct Start and End sectors to fully recover the data. For this reason, contact Technical Support for assistance.
  1. Defragment and run chkdsk without any additional command-line switches to test the integrity of the HDD. For details about how to use chkdsk to verify disk integrity before encrypting or decrypting the hard disk, see KB69110.
  2. For critical data, clone your hard disk to an identical piece of hardware.
  3. Create a DETech Standalone bootable removable media. For instructions, see the DETech User Guide (PD24871).
  4. Boot the system from a DETech Standalone bootable recovery media and identify which disks are encrypted using Disk Information.
  5. Verify that the recovery key is correct by using Workspace and verify you can decrypt the data in the Workspace. For assistance with using Workspace, see the respective DETech User Guide for details.
  6. Load the start and end sector of each partition or disk and select Decrypt Workspace.
     
    NOTE:     View the plain text on the right side of the workspace. It shows that a disk read error has occurred. If the error is not readable after decrypting the workspace, the wrong key is in use.
     
  7. Click Force Crypt/Decrypt Sectors.
  8. Specify the start sector and sector count that need to be decrypted, and then click Decrypt.
     
    The process runs until it is complete. The display shows that it is encrypting the disk because it is actually running the encryption algorithm in reverse.
     
    NOTE: You can only decrypt one partition at a time. If multiple partitions or disks are encrypted, you must repeat the process for each.
     
    IMPORTANT: If the Force Decryption fails, record the error you see and do not proceed to decrypt any further. Contact Technical Support immediately for the next steps.
      
  9. After the disk has been decrypted, you will need to click Restore MBR and restore the original MBR.
  10. Restart your computer and try to access the Windows desktop.
     
    After the process has finished, you can see the data on the hard disk.
     
    NOTE: If access to Windows fails, you must use typical data recovery methods to recover any data.