Skip to main content

IT@Cornell


How to Retrieve the Whole Disk Recovery Token (WDRT)

If a user has forgotten their PGP bootguard passphrase and is not able to use the security questions to recover the passphrase, a Whole Disk Recovery Token can be issued. The token is valid for one use.  After it is used and the computer has resynchronized with the PGP server the Token string is reset.

Important! After a Whole Disk Recovery Token has been issued, the TSP must create a remedy ticket. Include the user name of the issued WDRT, the reason for the WDRT, and the name of the TSP that issued the ticket.

Whole disk recovery tokens are associated with encrypted devices, not single computers or single users. A single computer can be associated with multiple encrypted hard drives. If multiple users have accounts on the same device, they share the same whole disk recovery token. Whatever you do with the token affects all users sharing that device. Each encrypted device has only one whole disk recovery token.

Issuing a Whole Disk Recovery Token (WDRT)

  1. Connect to the PGP Universal Server (https://pgp.cit.cornell.edu:9000). Enter the username and passphrase issued to you by the security office.

    wdrt-login

  2. Click Consumers, and then click the name of the group to which the affected device belongs.

    wdrt-consumers

  3. In the Users box, click View.

    wdrt-users-view

  4. Click the name of the user for whom you are issuing a token, and then click the arrow next to Whole Disk Encryption.

    wdrt-whole-disk

  5. A list of every encrypted hard drive or device assigned to that user is displayed. The WDRT is specific to each drive or device. Click the magnifying glass next to the affected drive or device. (If the user has multiple encrypted devices, you can find the device name using the Finding the Device Name procedure below.)

    wdrt-mag

  6. You'll see a message saying that revealing the token is a one-time event and that it is being logged. Click OK.
  7. The WDRT is displayed. Once you have copied it, click OK.

    wdrt-token

    The token is valid for one use.  After it is used and the computer has resynchronized with the PGP server the Token string is reset.

Finding the Device Name

Use this procedure to find the device name to choose if there are multiple devices assigned to a single user.

  1. On the affected device, on the PGP BootGuard log-in screen use the arrow keys to select Advanced.
  2. Click Enter.
  3. Use the arrow keys to highlight the drive that is encrypted and used to boot (primary or c:).
    The device name is displayed under the drive.

Whole Disk Recovery Token Details

  • The token code is a series of 6 groups of numbers and letters.  
  • It is case-insensitive. 
  • The dashes in the token are included to improve readability. You do not have to enter them as part of the token. (The token will be accepted either with dashes or without.)

Because it can be difficult to tell the difference between certain letters and numerals, tokens use letter and numeral equivalencies. You can type either letter or numeral when you use a whole disk recovery token, and the token string will be accepted. The following are interchangeable:

  • Letter B and numeral eight (8)
  • Letter O and numeral zero (0)
  • Letter I and numeral one (1)
  • Letter S and numeral five (5)