A Sophos Disk Encryption 5.61 client is unable to boot and needs to be recovered. The article explains the necessary steps to recover data from an encrypted Sophos Disk Encryption 5.61 Client using the Sophos Enterprise Console and a WinPE 3.0 based recovery media.
Known to apply to the following Sophos product(s) and version(s)
Sophos Disk Encryption 5.61.0
Enterprise Console 5.1.0
What To Do
1) In the first step, a "Key Recovery File" (that is required to authenticate the WinPE session against the Sophos Enterprise Console Administrator) has to be created from the Sophos Enterprise Console and needs to be exported to a removable media.
To create the "Key Recovery File", open the Sophos Enterprise Console, navigate to Tools | Manage Encryption | Export Key Recovery File... . Select a location to store the file and press 'OK'.
Place the Key Recovery File (one exported, called RecoveryToken.tok) to a removable drive.
2) Download the WinPE 3.0 Recovery Environment (winpe_SGN_188.8.131.52_x86.iso) and either burn it to a CD/DVD (using the Microsoft Windows 7 integrated burning wizard or a 3rd party burning software that is able to handle *.iso files) or extract it to a USB drive (3rd party tools might be required).
3) On the Sophos Disk Encryption Client that should be recovered, connect the Removable Media that holds the "Key Recovery File" (created in step one) and insert the WinPE 3.0 Recovery Environment Media (created in step two).
Boot the Sophos Disk Encryption Client directly from the WinPE 3.0 Recovery Environment (make sure that the proper boot device is selected in the BIOS).
The WinPE 3.0 Recovery Environment contains a file explorer that will be started automatically after the environment initialized completely.
Use the file explorer to open the Removable Media that contains the "Key Recovery File" (Recoverytoken.tok) and copy the file into the "SGN-Tools" folder the is located under "Boot (X:) | Program files | Tools | SGN-Tools.
4) After the Key Recovery File has been copied to the SGN-Tools folder, open the "RecoverKeys" application that is linked in the Quick Launch section on the bottom of the file explorer.
Recover Keys will display all drives that are currently connected to the machine. Drives that are encrypted by Sophos Disk Encryption Client will have a GUID number next to the drive letter.
Select the drive that should be unlocked (please note: the drive will not be decrypted - it will only be unlocked for the current session!) and press "Import By C/R".
After "Import By C/R" has been selected, the Challenge/Response assistant window opens and presents you with a Challenge Code. This Challenge Code is now required and needs to be entered in the Sophos Enterprise Console.
See example below:
5) Open the Sophos Enterprise Console and navigate to the Sophos Disk Encryption Client that was used to create the Challenge Code. Open the context menu and select "Encryption Recovery...".
In the Encryption Recovery assistant, select "Power-on Authentication (key recovery)" and press Next.
Enter the Challenge code that was created on the Client in the previous step and press Next.
The encryption Recovery agent creates a Response Code. Note down the response code (the Encryption Recovery assistant can be closed by pressing "Finish" once the code has been noted).
6) Back on the Sophos Disk Encryption Client, enter the Response Code in the Challenge Response wizard and confirm with "OK".
Hint: Click "Finish" on Recover Keys application to complete the process. There will be no visual feedback whether the Response Code was accepted or not.
The drive is now unlocked for the current session and can be accessed using the file explorer.