Recovering data using Knoppix on a PGP encrypted drive
 

I'm having issues booting my computer running WinXP and would like to pull some data off of it before I completely redo the computer.

Here are the high level points:
- Computer has PGP WDE
- After starting, I am prompted for the passphrase almost immediately, I do know the passpharse and can get past this part on a normal boot, it's sometime during the running of startup scripts is when it fails
- I've downloaded and been able to boot using Knoppix V7.0 using a USB drive(Knoppix loads prior to me being prompted for my PGP passphrase)
- When Knoppoix loads however, I am not able to see my drive from which I would like to recover data
- When I run fdisk -l I am able to see the drive - /dev/sda and /dev/sda1. From my research I believe sda is the drive and sda1 is the partition
- I've tried various mounting commands with no luck, I could list them out but figured I'd just first start with this and see what type of feedback I get

That is about as far as I can get.

Can anybody help me out with steps needed to access the drive/partition and in turn, the data on that drive?

Thanks in advance

Running fdisk should tell you under the System column if it is a Linux partition, usually just says "Linux".
Running df -T should tell you the filesystem type in the output, interestingly enough under the "Type" column.
The example below shows Type ext4 on sda8 and the root "/" partition.

Using the example above to mount that partition: You would need to create the "sda8" directory or whatever you want to call it in the /mnt directory or, you could just use /mnt as the mount point if you are on a Live CD.

Rescuing data should work well with TestDisk which may be on the Knoppix CD. You could try typing 'testdisk' in a terminal. I don't have a Knoppix CD to test.

You should probably ask symmantec or whoever provided the PGP whole-disk encryption software how to recover data from the drive. It may be that the entire filesystem is encrypted meaning the linux mount command does not recognize that there is a filesystem on the partition (it is encrypted!). I have no idea if any of the linux (open source) whole-disk encryption software would be able to unencrypt and mount something created by your software (PGP). Maybe somebody else can help with that issue -- good luck! [I won't ask if you had the data backed up, that would be adding insult to injury...]

My guess is you could simply use the gui to mount the drive. Do you have some file manager available in knoppix? The drive may show up in media or other folder already.

Yes, sdx is a scsi attached drive in position x. It would be scsi because of other reasons not actual scsi. Could be sata or ide or other.

Yes, sda1 is the first partition on sda. You may have other swap partition. Guess you could use gparted to see what is there on the sda drive.

I assume since it asks for the passphrase you have a start. The data may all be wrong but at least you have a start.

Knoppix may not correctly read soft or faux/fake raid arrays.

Use a few other distros just to see. Opensuse, live Gentoo maybe a few others. Fedora can't hurt to try either.

This happens when trying to boot Windows, is that correct? So Windows starts to boot, asks you for the passphrase, and then problems occur? What specifically is the problem? Does Windows give you an error message? Have you tried booting in Windows SAFE MODE?

Without knowing what PGP WDE is/does for its encryption, it's hard to give advice on how to recover a Windows version of it from Linux. But I went to Goggle and searched on "linux pgp wde" and the very first eight hits were for documents on the Symantec website. I didn't follow those hits to the documents themselves, but that's where I'd start if I were you. Next, I'd call Symantec support and ask them how to recover if you can't find anything else on the web and don't get any additional advice here on LQ.org

Here is the output of the df -T command, as you can see, it doesn't return anything for /dev/sda or /dev/sda1, thoughts?

knoppix@Microknoppix:~$ df -T
Filesystem Type 1K-blocks Used Available Use%
/dev/sdb1 vfat 3918848 1019968 2898880 27%
/mnt-systemtmpfs tmpfs 2625536 0 2625536 0%
/ramdisk/dev/cloop iso9660 1985480 1985480 0 100%
/KNOPPIX/dev/loop0 ext2 297485 4651 292834 2%
/KNOPPIX-DATAunionfs aufs 297485 4651 292834 2%
/UNIONFSunionfs aufs 297485 4651 292834 2%
/usrunionfs aufs 297485 4651 292834 2%
/hometmpfs tmpfs 10240 56 10184 1%
/UNIONFS/var/runtmpfs tmpfs 20480 2744 17736 14%
/runtmpfs tmpfs 10240 0 10240 0%
/UNIONFS/var/locktmpfs tmpfs 102400 52 102348 1%
/UNIONFS/var/logtmpfs tmpfs 2097152 8 2097144 1%
/tmpudev tmpfs 20480 4 20476 1%
/devtmpfs tmpfs 2097152 0 2097152 0% /dev/shm

Additionally, I was able to run testdisk and was able to see /dev/sda, however, I was not able to determine how to use it to access any data. I'm still working on that utility though.

That's because the df command can only return data for mounted filesystems. And you haven't been able to mount the filesystem yet.

Well that makes sense.

I keep forgetting that. Try the command below, need to be root. You may need to install parted??:

parted /dev/sda print all

Still no dice here. Been looking for some type of command that indicates the drive I want to work with is encrypted and then prompted for a pass phrase. I found something in terms of "luksOpen /Dev/sda1 encrypted" but as I don't have a luks device, that doesn't work. Any thoughts?

Why the insistence on using Linux/Knoppix? Make a boot.iso (you can get it from the symantec site). Boot from the cd you just made. In the PGP boot screen go to Advanced or press F4, decrypt the disc. Boot Knoppix, mount the decrypted disc, save what you want to save.
Another option is to use tools as Parted Magic or Casper Secure Drive Backup.

I looked at Symantec but that said I needed to use the same version that was used to encrypt, which I can't remember. Also, I don't have a cd drive, could I make the boot.iso to a usb drive or does it have to be CD?

Assuming you are working from Knoppix you can use the dd command to write the iso to create a bootable usb device.
How to use dd is described in earlier postings in these forums.

If you can remember the time when the software was purchased you can deduct which version it should be.
Since the downloads are free and writing to USB is also free there is no harm in trying until you've got the correct version.

I tried the Symantec option, I was able to find the version when I started the computer and accessed the pgp advanced options. However, this was not successful, when I booted with the bootg.iso image pgp presented and error stating it couldn't find the recovery. I'll try some of the other options you indicated next.

Just to make things clear: You created a bootable usb with the Symantec boot.iso? You then booted from this USB: was this succesful?
If it was: did you go to the advanced screen - Do not try to boot the disc but go to advanced and decrypt it.
Then you can boot Knoppix or whatever you like and save the data that needs to be saved to an external source, i.e. a USB device.

Can you explain where the error did occur?

Well, that piece of info would make be stay far away from any Symantec product from now on. Of course you have to try to recover what you have, by any means you can, but after that task is completed I'd recommend you kiss Symantec goodbye.

Yes, I created the USB bootable with the Symantec iso from their site.
From here, I attempted to boot. Normally, after about 3 seconds, I am presented with a grey screen where I input my pass phrase. When using the USB to boot, I get the error where I'd normally be asked for my pass phrase.

I tried parted magic with no luck. This seemed to work like knoppix. I couldn't figure any way to mount the drive.
I also looked at Casper secure, I didn't have any luck there either. Seemed like I was going to need another hard drive to back up to.

I am sorry but if none of the adviced solutions work for you I am out of options.
May be someone else has a working solution for you.

Ok, thanks for helping. I think I'll just admit defeat and start over.