12-27-2013 09:21 AM
Hi There !
Seached the forums and realized now that my problem is not unique.
Our company policy was, until now, to have use HP-PT and have our HDD's encrypted.
For 2 years it started up fine and gave me no issue until my windows did not start as expected.
(The reason for windows not starting is a mix of me shifting from domain to local coupled with windows bug regarding some services)
In short: All passwords works and Windows 7 64 starts but kicks me out some way into the log in sequence.
Since I cannot start windows on teh encrypted HDD I cannot decrypt the drive ....
Since the drive is encrypted it cannot be read from outside
Since the HP PtotectTools , started from an external win 7 HDD neither can see that the drive is encrypted
Since all of this I am totally stuck.
It reall sucks that although we have all passwords accessable , saved them on USB sticks and have them in mind, cannot reach the data.
I just read about some safeBoot tool that is not HP supported that might work and I will read more about this during some short days of holiday now between christmas and 2014-01-01
Still I wonder..is there no HP tool that can decrypt the drive when we have all keys necessary??
Solved! View Solution.
Re: Another one bites the dust using HP ProtectTools
01-16-2014 05:01 AM
MY Colleague found the help while using google search
Steps to Retrieve Data Encrypted with 2011 Drive Encryption for ProtectTools (vers. 6.x)
If the computer system does not boot, and displays a message similar to “McAfee Endpoint Encryption. Fatal Error: [0xEE020002]” or “pePC has been corrupted – ERROR 92h” on a hard drive encrypted with 2011 Drive Encryption for ProtectTools, there is a tool can be used to attempt to retrieve data from the hard drive.
DiskTech 2011 tool is provided “As Is” by Hewlett Packard Company and McAfee, Inc. Neither Hewlett Packard nor McAfee provide any warranties either explicit or implied that any encrypted files can be retrieved using DiskTech 2011 or any other tool.
Prior to encrypting any data, the user is advised to utilize backup utilities and perform frequent backups of their data to secure media.
You must have access to the backup encryption key (.dat file typically saved to a USB) and have the DiskTech2011.iso (ftp://ftp.hp.com/pub/caps-softpaq/TCE&Q/DiskTech2011.iso) burned to a CD.
- Before attempting to boot from the DiskTech 2011 CD, you will need to go into the notebook BIOS and temporarily switch the drive controller to IDE mode (F10>System Configuration>Device Configurations>SATA Device Mode). You will be asked to confirm this change to the Drive Controller, click the Confirm button to do so. A blue screen error (BSOD) will occur during boot if the drive controlled is set to any value other than IDE.
- Boot from the CD. Make sure the USB key containing your recovery key and any other external USB storage devices are attached to a USB 2.0 port (not USB SS port) before powering on.
- After booting, select whether or not to start network support (probably no for most users).
- Click "Go" at bottom left.
- Select Programs>McAfee EETech.
- Click "HP".
- Navigate to the recovery key on your USB key. Select "Open". (If the encrypted drive is not mountable, it is here where you will usually receive an error)
- The drive should now be mounted. You can leave the Authentication window open.
- Click "Go".
- Select Programs>A43 File Management Utility.
- You should now be able to access the files on your drive and move them to an external device.
- When finished, don't forget to go back into the BIOS and change the controller back to AHCI mode.
The files on the hard drive are still encrypted when this retrieval process is completed, and you will not be able to boot from this hard drive unless it is rebuilt. You may choose to store the hard drive in a secure location for future access to the files remaining on it. The files on the hard drive will not be accessible except through the DiskTech 2011 tool.
You may choose to rebuild the operating system on the computer using OEM disks, or entering the HP Recovery Manager by pressing the F11 key during the boot process (if the recovery partition remains on the machine).
- If the hard drive is formatted (by HP Recovery Manager or using the Quick Format feature on the OEM setup disks), all files on the hard drive will be wiped, and will no longer be accessible through any method.
If the data cannot be retrieved using the DiskTech 2011 tool, you may send your system to Hewlett Packard. HP may be able to retrieve the data through more intense data retrieval methods. However, HP cannot guarantee that any data can be retrieved from the hard drive. You must contact HP Support for instructions to ship your system.
12-27-2013 10:02 AM
hi, if the hdd is encrypted and you have the keys to decrypt it, first you will have to decrypt the drive first in order to read the drive somewhere else.
12-27-2013 01:05 PM
Can't understand your answer at all...Talk to the IT departement...
Don't you think they are involved???
They are doing their best but without any answer from HP.
Even though all of my code is checked in on our servers there are many different
scripts etc that I have developed the last two years. They are very valuable for me, and for
the company since they shorten the development time in general.
We are trying to find an answer all of us, without any luck.
Is McAfee endpoint protection encryption compatible with HP encryption ??
12-27-2013 08:15 PM
I'm not into encrypting my HDD, especially using proprietary windows only tools in combination with secureboot, as there is just too much involved that can go wrong and a recovery process just doesn't seem to be clearly defined anywhere...
Anyway, I did a quick Google and came across this decryption solution provided within this hp forum post which also includes an attached doc that could also be helpful? Then there is these McAfee knowledge base pages here & here which may also provide some useful info...
What seems paramount is to do a bitwise copy of the problem encrypted HDD so you have another backup HDD in case the decryption process fails leaving your data in an undefined state...
Mind you, how encryption programs like bitlocker and hp-protect interact with self encrypting hdds (SED) is unknown to me, so one must know what encryption they actually utilize...
But really, HP need to ensure there exists a documented mechanism to help users of "hp protect" recover their data on another system should they have the needed keys, otherwise such encryption based on needing windows to boot is of little to no use (unless hp can guaranteed that windows will always boot which we all know can never be guaranteed!!!).
Hope you sort your issue, and if you do, please post the solution so others may benefit.
PS: Also found this post on spiceworks which may outline hp ptotect tool works:
Below is a follow-up response from the product team:
"I’m quite disappointed to hear about the customer experience regarding SSDs/SEDs....
When ProtectTools is used to activate the encryption (both hardware and software), the interface is the same for the user. If the system has a compatible SED drive, there will be a checkbox to use the hardware encryption. After activation, the customer will need to insert a USB disk to store the backup decryption key. This backup key can be used to unlock the encryption on the drive. It will be necessary for both the hardware and software encryption methods. The system will need to reboot, and the user will now be required to login at the McAfee Preboot Authentication dialog, and again at the Windows login (unless [the user] is using the One-Step Login).
Whether [the user] chooses to use hardware or software encryption, [the user] will see no difference in performance after this.
If [the user] chooses software encryption, the HDD access light will flash as it encrypts the drive in a background process, and [the user] can watch the drive encryption progress by going back to the Drive Encryption tab of Security Manager.
Drive encryption is a very important tool to protect your data, but it is only one piece of the puzzle. It prevents others from gaining access to sensitive or personal information, but it does not cover you if your drive fails.....So, I *highly* recommend the customers take regular backups of their data to a secure location, whether using encryption or not. This allows you to recover your data if the drive fails, as well as if it is lost or stolen, and you can get back up and running with minimal business impact."
Does this implies that a SED can be decrypted on another PC running hp protect tools if the drive is hardware encrypted and you have the keys? Who knows!!!
12-27-2013 08:43 PM
>how encryption programs like bitlocker and hp-protect interact with self encrypting HDDs is unknown to me
I know how Enterprise SSC work but not sure if PCs are in a separate class like Opal.
The TCG has a bunch of documentation:
12-28-2013 06:11 PM
Dennis, thanks for the links but the referenced sales blurbs do not really say much about the OP's issue nor does it elaborate on the issues i am concerned with. It's a starting point so i guess i have lots more reading to do
So for me, for the moment, i avoid secure boot and drive encryption until there is robust and documented recovery methods that gives me the control and does not make me dependant on some other party to access MY data on MY hardware should the OS kak itself and fail to authenticate/boot...
And as the OP mentioned, nothing seems to be documented by HP on how one goes about decrypting their data should the OS fail to boot. And i'm also concerned with what happens when the authenticated boot process fails, or there is some issue with the decryption key storage location (whether stored in flash within the TPM or SED itself)...
There is just too many unknowns for many people which is why i have difficulty in understanding why one needs data encryption, especially when data theft via OS security breaches seems to be the bigger issue, lost laptops being the exeption. All for the sake of not wanting to put a hammer through a HDD when it is retired!!!