SafeGuard Enterprise: How to decomission a volume-based encrypted disk.

  • Article ID: 108268
  • Updated: 08 Dec 2015

How to decommission a volume-based encrypted disk.

Known to apply to the following Sophos product(s) and version(s)
SafeGuard Device Encryption

Technical information
Sophos provides a command line tool (BEInvVol.exe) for SafeGuard Enterprise which can be used to safely decommission volume-based encrypted volumes (hard disks, USB sticks etc.). It can be found in the tools folder where you extracted SafeGuard Enterprise.

This command line tool permits easy decommissioning of all encrypted volumes. It is based on the DoD Standard 5220.22-M, which can be used to delete key stores safely. This command line tool can only be used on a computer on which SafeGuard Enterprise is installed.

Once the desired volume has been found, a warning message is displayed requiring the user to confirm the request. All key stores (primary & secondary) are then deleted. The volume will not be readable from this point on.

The command line tool also displays information on screen about the delete process. This includes for example, the name of the volume, the size of the volume, key store information such as symbolic key name, date and time of the deletion, the user who carried out the deletion, and the computer name on which the deletion was carried out. This information can be stored on any storage device, USB stick, or on the network server.

Caution: There is no way to recover the data afterwards.

What to do

The decommissioning tool can be used under 32-Bit versions of Windows PE and Windows Recovery Environment using the command prompt.

*Do not run this tool using the SGN recovery WinPE with the SGN filter drivers.  Beinvvol will not allow you to run commands. Also trying to disable the filter driver with FLTDoNothing will not help either.


> beinvvol <command[volume]> [-g[log_mode[log_file]]]


xl[volume]: List info for the target volume(s). If no target volume is specified list info for all volumes.

xi<volume>: Invalidate the target volume(s) if fully SGN-encrypted. The target <volume> must be specified for this command.

<volume>: Specify the target volume = {a, b, c, ..., z, *}, with <*> meaning all volumes.

?, h: Display help.


-g0: Disable logging mechanism.

-ga[file]: Logging mode -append. Append log-entries at the end of the target log-file or create it if it does not exist.

-gt[file]: Logging mode -truncate. Truncate the target log-file if it already exists or create it if it does not exist.

[file]: Specify the target log-file. If not specified the default target log-file is "BEInvVol.log" at the current path. Do not set this file on the same volume to be invalidated!

-?, -h: Display help.


> beinvvol -h

> beinvvol xld

> beinvvol xle -gac:\subdir\file.log

> beinvvol xl* -gtc:\subdir\file.log

> beinvvol xif -gt"c:\my subdir\file.log"

> beinvvol xig -g0

> beinvvol xi*

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent