The University of Texas at Austin
As part of the Web Central Services Retirement project, the ITS website will be retired. Information about IT services will be replaced by two new sites, IT@UT and UT ServiceNow, and ITS departmental information will be migrated to a new location. All changes will be completed by 7/28/2016.

Enterprise Whole Disk Encryption

Data Recovery and Drive Decryption

The following instructions can be used two different ways:

  1. Preparing an encrypted system for operating system recovery or repair; SecureDoc decryption and removal (PC only).
  2. Recovery of encrypted data from crashed systems that will be re-imaged (for PC and Macintosh)

Recovering from an operating system crash on a SecureDoc encrypted computer requires two computers:

  • Device 1: the computer that has crashed.
  • Device 2: another computer that has SecureDoc installed in an unencrypted state.

A drive with encrypted data can only be read by by loading the key that was used to encrypt the drive into memory. To recover data or perform a system restore/recovery operation the drive must be decrypted and pre-boot authentication (PBA) must be uninstalled.

Step 1: Prepare to access the crashed computer's hard drive

  1. Log in to the SecureDoc console, locate Device 2, and select your administrative account.

  2. Your administrative account should, by default, have administrative rights to that device. To check for administrative rights, right-click the user, and select Access rights. If the selected user does not have full administrative access rights, assign them by selecting the Admin Rights radio button and clicking OK.

  3. The encryption key of the Device 1 must be added to the chosen administrative account. Right-click that account and choose Modify User.

  4. Navigate to Selected Keys and click the Add button.

  5. Browse the folder list and locate the encryption key for Device 1, select the key, and click OK.

  6. The key should now show up as listed for the user in Selected Keys as shown below. If so, click Save in the Edit User Info window. This action will generate an SES command to re-add your keyfile to Device 2.

  7. Log in to Device 2, locate the SecureDoc Control Center icon in the system tray, right-click it, and select Communicate With Server. The changes you made in the console will be applied to Device 2.

  8. Restart Device 2.

Step 2: Access the crashed computer's hard drive

Important: This step requires authenticating to SecureDoc pre-boot with the administrative account that was modified in Step 1. Restart the computer and interrupt its autoboot process by pressing F10 immediately after the BIOS splash or the appearance of the SecureDoc Keys icon (Mac OS). Type in your administrative account name, press Enter, then type the administrative account password.

  1. Remove the hard drive from Device 1 and connect it to Device 2.

    Tip: Drives may be connected with a USB adapter, a Firewire adapter, or internal cabling (requires another pre-boot restart). Apple computers can use Target Disk Mode for this step.

  2. Boot up Device 2, log in to the operating system and run the SecureDoc Control Center to verify that the logged in account with administrative access is listed.

  3. Data on Device 1's drive should now be accessible to Device 2 since the necessary encryption key is in use. After data has been recovered the drive may be wiped and a fresh operating system installed. If system recovery is desired (e.g. operating system environment) continue with the following steps.

    Note: Mac OS X options for decryption are limited to scripts run from within the OS. If the operating system is not booting, the best recovery option may be to re-partition the disk and perform a fresh installation of Mac OS X.

Step 3: Decrypt crashed computer's hard drive, SecureDoc Version 5.x, PC Only

  1. On Device 2, open the SecureDoc Control Center and log in with your admin account.

    Note: If the Password field is grayed out, just click Login. Otherwise, enter the password for the SecureDoc user, then click Login. This password should be the same psasword used for pre-boot authentication.

  2. Several entries should appear in the Control Center's left-hand column. Select Drive Encryption.

  3. Under Drive Encryption select Encryption Management, then choose the hard drive to decrypt. Usually the key will be labeled AES Device1 Hostname key

    • Select Operation: Decrypt
    • Conversion Mode: Thorough
    • Select the correct encryption key as indicated by the drive letter box below. The key should be named after Device 1.
  4. Click the Start button. Decryption should begin immediately and may take several hours to complete. When completed, SecureDoc will confirm decryption.

Step 4: Uninstall boot logon environment

Assuming decryption has completed successfully, you must remove SecureDoc Boot Logon before further operating system recovery can be attempted.

  1. In the SecureDoc Control Center, select the Boot Control tab and click on Install/Uninstall Boot Logon.

  2. Select the Uninstall tab.

  3. Look for the hard drive number that was decrypted in Step 2 (most likely Hard Disk 2) and select it. Be sure the match is correct or Boot Logon will be uninstalled on the wrong hard drive.

    Note: If there is no match or if the radio button is grayed out, either Boot Logon was not installed and does not need to be removed OR Boot Logon was installed and is corrupted.

  4. Click Uninstall to proceed, then click OK to confirm.

  5. Once Boot Logon is uninstalled, the hard drive may be reinstalled on Device 1 and OS recovery procedures may start.

Last updated May 25, 2012 @ 4:05 pm

We Can Help

Get help from an expert:

* UT Service Desk

* Call us at 512-475-9400

* Submit a help request online

We also have a walk-in service in the first floor lobby of the Flawn Academic Center (FAC). Stop by and let us help you!