Transporting a PGP encrypted Win7 disk.

Discussion in 'Windows Virtual Machine' started by CDondanville, Aug 26, 2012.

  1. CDondanville

    CDondanville Bit poster

    Messages:
    1
    I ran transporter agent on my Win7 computer that has PGP whole disk encryption enabled. The transport took forever (14 hours) but seemed to work OK. However when I go to start it, I get the updating your VM message and it goes through the motions, which is good. I then see the PGP login screen, which is the way the Win7 machine starts, which is also good. When I enter the password, the PGP software accepts it, the screen blacks and the message "missing operating sytem" appears and the VM shuts down. This is an endless cycle.

    Any Ideas? I know the encryption software has to be loaded a la root kit, which is why you have to enter the encryption password before the boot starts. But that appears to be working. However it is not getting to the point that it can actually use that to read the encrypted disk volume it appears, thus Parallels thinks the OS is missing. Is parallels trying to do something in that boot phase as well that is incompatible with the PGP software? Open for suggestions.

    Chris
     
  2. Ted Schadler

    Ted Schadler Bit poster

    Messages:
    1
    Can Parallels team please weigh in on this?

    Not being able to run a PGP encrypted Win 7 image is a dealbreaker, alas. Can you help?

    Ted
     
  3. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Same deal here. The odd thing is if you go to the Transported image, and right-click>Open with..., you can choose 'Parallels Mounter'...and the drive mounts. The OS and all the files are there. So darn frustrating. I don't know enough about Windows to know what files to find and edit that might bypass the PGP login, or make it see that there is, indeed, an OS there..and then boot it. Did anyone get any farther with their situation?
     
  4. Specimen

    Specimen Product Expert

    Messages:
    3,242
    The PGP OS bootloader is probably pointing to a specific partition on a specific volume, maybe even at a certain sector, I don't know exactly how it works, but however it is when the OS is imported into a VM the place for the bootloader to find the OS is not the same anymore, this is a configuration that has to be changed somewhere on the PGP bootloader.

    You have to realize that the point of encryption is to make all these things difficult, most probably the information where the OS is is also encrypted, to make it difficult to someone to clone a PGP encrypted machine and try to brute force the clone in a lab, (inside a VM for instance).

    Normally an OS should be transported unencrypted and then have encryption installed/applied on the VM.


    Finally, if you used Parallels Transporter it probably didn't transport the drive encrypted, as the PGP encryption is a lower layer, and Parallels Transporter isn't copying bit by bit (the way an encrypted drive has to be transported), or else you wouldn't be seeing the files via Parallels Mounter.
     
    Last edited: Apr 17, 2013
  5. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Thanks, Specimen--
    My company had encrypted Windows XP for years before this move to Win7 and PGP. Pointsec was the encryption tool the company used and Transporter stripped it out every time, so it was able to boot. As you and I note, not so this time around.

    I'm not knowledgeable enough about Windows to understand why, if you can mount the VM 'drive' why you can't build a new Win7 from that drive. When it says no OS is present, obviously it is...but it just isn't seeing it.
     
  6. Pmg102

    Pmg102 Bit poster

    Messages:
    4
    I know this is an old post - but I have managed to resolve this issue, and thought I'd share.

    I'm running Parallels 9 (but have used this process with Parallels 7 & 8). I have a company machine that is protected using PGP Full Disk Encryption. I want to port to my company Mac (which incidentally has full disk encryption courtesy of FileVault 2).

    I didn't use Transporter to get my disk image file - I used disk2vhd from Microsoft, but I'm sure that it'll do the same thing. I then needed to manually create a virtual machine around this, so that the Parallels importer would work - created an XML file as per the instructions here: http://forum.parallels.com/showthre...of-VMs-anymore&p=422980&viewfull=1#post422980

    When I boot the machine, I get the PGP prompt. After entering credentials the machine borks.

    The issue is the bootloader. PGP have replaced the Microsoft one with their own custom version. All we need to do is restore it. By this point we don't need the PGP one - as the data in the VHD is unencrypted... the Transporter or disk2vhd tools have done that job for us. Which is why we can 'mount' the image and view the files without issue.

    To do this - just follow the instructions here: http://www.tomshardware.com/news/win7-windows-7-mbr,10036.html

    You will need to do all of them, up to, but not including, the 'how to change active partition'.

    Hopefully this should help...

    Let me know if I've missed any steps out, as I'm writing this from 2 day old memory
     
  7. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Hey there, Pmg102...this is potentially AMAZING new/fix. Thanks for keeping it/us in mind.

    As you seem to be a bit more facile in Windows than I, some questions regarding the above instructions:

    1. If I have the Transporter-created VM on an external USB hard drive, it won't boot, as we have all experienced. How -- or probably more accurately, from WHERE -- am I running the Windows Recovery CD or USB Flash I have made from the instructs in your tomshardware.com link above?

    2. Once I am able to start up that recovery program, does it let you see/point to the external USB hard drive that has the VM so you can perform the repairs?

    3. Can I run the system recovery repairs from my actual PC right after Transporter completes the migration to the USB hard drive?

    Thanks for any more 'recollections' you may have about your experience doing this.
     
  8. Pmg102

    Pmg102 Bit poster

    Messages:
    4
    Hi Jay,

    Worth saying that once I had used disk2vhd to create the disk image, I copied it onto my second machine - so it was on the hard drive. When I then created a Parallels VM, I added the 'transported' hard disk as the main hard disk, and then added a Windows Install ISO as a CD drive. I then booted from this CD (within Parallels)... which allowed me access to the recovery actions (as per the tomshardware post).

    The Recovery console thinks that the disk is the primary hard drive (due to the parallels configuration), so yes it can see it.

    You need to run the recovery console through Parallels, it cannot be run against the hard disk image outside of this (as far as I'm aware)

    Hope this makes sense?

    If you have any problems then please post back

    - Paul
     
  9. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Makes perfect sense, Paul. Thanks for the clarification. This will be my fave weekend project...I hope to report back with success.
     
  10. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Hi, Paul--

    I made a few passes here using Transporter but Parallels won't even get me to where I was earlier in the year, meaning the PGP screen...it hangs on bootloader. So I figured I would try it your way. I made a .vhd image of the company load set. I'm a bit confused about this quote and what to do...

    ...versus this quote and what to do...

    In that second instruct, it isn't clear to me whether or not you copied onto your Mac, then created the xml doc you stated above and then did the import. Also, relating to that, did you create a folder, put the .vhd in there with the XML file and append the folder with a .pvm so Parallels would recognize it? If so, what other files did you put in there? Finally, what did you use in the XML code for the relative string? Can you paste your XML code here?

    Sorry to ask so many questions....I was so juiced to get this to work before Monday and was disheartened that the old process I used earlier this year was not working. Appreciate all of your help...if anyone else has success here, please chime in and light the way. :)
     
  11. Pmg102

    Pmg102 Bit poster

    Messages:
    4
    I copied the VHD to the Mac, into /Users/paul/Documents/. I think created a /Users/paul/Documents/machine.vmc with the following:

    <?xml version="1.0" encoding="UTF-8"?>
    <preferences>
    <version type="string">2.0</version>
    <hardware>
    <pci_bus>
    <ide_adapter>
    <ide_controller id="0">
    <location id="0">
    <drive_type type="integer">1</drive_type>
    <pathname>
    <absolute type="string">/Users/paul/Documents/machine.vhd</absolute>
    <relative type="string">machine.vhd</relative>
    </pathname>
    </location>
    </ide_controller>
    </ide_adapter>
    </pci_bus>
    </hardware>
    </preferences>

    I then double clicked the .VMC file - parallels opened, and started the import. Make sure you create the file as Plain Text (Text Edit menu -> Format -> Make Plain Text).


    Let me know if this works - if not I'll try and make time this afternoon, and go through the process again myself to make sure I haven't missed a step
     
  12. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Sigh.

    It asks where I want to save the converted third-party VM, I select the location and...

    failure.jpg

    This is the web page to which the error code link goes.

    Maybe I did something different in the Disk2VHD settings than you did (I did NOT check 'VHDX' and I did NOT check 'Shadow Volume').

    Any ideas/steps to try?

    Truly appreciate your assistance. Thanks!
     
    Last edited: Feb 9, 2014
  13. Pmg102

    Pmg102 Bit poster

    Messages:
    4
    I would definitely try with Shadow volume CHECKED. Can you post your xml file contents?
     
  14. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Okay. I will run another copy with Shadow Volume checked.

    As requested, here's the plain text inside my document titled test2.vmc (I have both the .vmc file and the .vhd file on an external USB drive called 'Portadrive', which you'll see referenced below):

    <?xml version="1.0" encoding="UTF-8"?>
    <preferences>
    <version type="string">2.0</version>
    <hardware>
    <pci_bus>
    <ide_adapter>
    <ide_controller id="0">
    <location id="0">
    <drive_type type="integer">1</drive_type>
    <pathname>
    <absolute type="string”>/Volumes/Portadrive/test2.vhd</absolute>
    <relative type="string">test2.vhd</relative>
    </pathname>
    </location>
    </ide_controller>
    </ide_adapter>
    </pci_bus>
    </hardware>
    </preferences>

    Thanks. I will post back later.
     
  15. jaylindell@comcast.net

    jaylindell@comcast.net Member

    Messages:
    22
    Well, that was painful...but I finally got it. My guess is that our company did something special to make the cloned machine not start up into PGP. I had to use VMWare Workstation as an intermediary.

    Thanks, Paul for your assistance. This was a long time in coming. :)
     
    Last edited: Feb 11, 2014
  16. JoachimF

    JoachimF Bit poster

    Messages:
    1
    getting same error message during import

    Jay,
    I have the same problem as you had getting the same error message during import. What was your solution to solve it. Guidance would be highly appreciated.
    thanks
     
  17. BilalA1

    BilalA1 Bit poster

    Messages:
    1
    Hi Jay & JoachimF
    I am in the same boat. I tried to follow the steps above. I can get to the PGP screen but then get an error message saying "No Operating System".
    Could you please help us with the steps, specially the one which mentions a work around of using VMware as an intermediary.
    Much appreciated
     

Share This Page