HP harddisk encryption software and me…

October 24, 2008 – 02:43

As you may now, I usually use a HP Compaq business notebook (the 15” 8510p to be exact). For the last 9 months I have been using this model for both work and personal usage and it’s my weapon of choice when needing a mobile powerhouse without breaking my back. Performance is great (you can get better these days, I got one of the last pre-Penryn models) and overall it’s a reliable and sturdy device.

So last week I was going over some security principles and decided that file-based encryption wasn’t enough for my mobile system. I decided to look at drive encryption and for my scenario I had 2 very good and supported choices:

  • Windows Vista Bitlocker
    I run Windows Vista Ultimate x64 so using Bitlocker would be a viable option for me
  • HP Protecttools Drive Encryption
    The official business-level encryption solution provided by the OEM, HP, itself.

At first I wanted to use Bitlocker and I used the Bitlocker preparation Vista Ultimate Extra to prepare my harddrive for Bitlocker usage. The tool however refused to use my harddrive as it didn’t understood some of the partitions located on the drive (yes, even I have a dualboot to Linux, don’t like it tough) and it refused my harddrive.

Too bad and I decided to use the OEM-supported solution HP ProtectTools Drive Encryption. I figured as HP is a large and  good company (who has always given me great tech support here in the Netherlands), there would be no recovery issues in the event something should go horribly wrong.

And boy did things go wrong…

Earlier this month I turned on Drive Encryption in the software (which is buggy, doesn’t autolaunch the admin tool as Administrator in Windows Vista with UAC turned on, crap HP software). It took about 2 hours to encrypt my drive and it installed a little on-the-fly decryption app in the bootloader. All was working great and performance was still very good. I backed up a recovery key to 2 different USB sticks (just in case). It also asked me whether I wanted to use the online recovery service. As the service does nothing but store your decryption key for a ridiculous amount of money / year, I declined and used the USB-only solution.

Exactly one week ago, Thursday afternoon, I was prepping a demo I was going to give the following day @ 9AM. At around 15:00, I was done with my notebook and switched it to standby. Sometime later I had to change some boot arguments of the Windows Vista bootloader and used a few applications to reflect the changes needed (who I’m guessing rewrote the Vista bootloader, nothing fancy). All was good and I rebooted to test my changes and I noticed it didn’t load the HP decryption software (usually asking me for my password) and it just gave me a flashing cursor.

I rebooted again .. same. I booted a recovery dvd with a few partition manager applications on it. Double checked whether Vista partition was the active one. It of course was. I booted the Vista DVD and try to use auto fix. It couldn’t find my Windows drive (which is explainable as it is encrypted).

The HP system relies on the bootloader software to be present in order to decrypt the harddrive. Messing with the bootloader (which a normal OS installation next to you current OS would also do), seems to wipe away the HP software. Ok great.. now I have a locked drive.

Next up .. recovery.. I had my decryption key but no means to use it as the recovery option was a part of the bootloader decryption software. I quickly visited the HP.com support site in search of a recovery solution for the encrypted harddrive. No luck. Googled on the product name and found nothing usefull.

I quickly rang up HP Netherlands as it was about a hour before lines closing. Quickly got a pro (no level-1/level-2 filtering here, GREAT!) and explained the situation. However unfortunately due to some issues with the phone systems when using T-Mobile as a provider, I got disconnected. This happened a number of times and I quickly switched to landlines (after being on hold and being disconnected 3x). Ultimately had an employee working with me on how to resolve the issue. No luck. I explained my level of expertise on Windows Vista and systems overall and we both gave great ideas on how to possibly resolve the issue (recover the drive or reinstall the bootloader software). He looked in the central database and had no luck. It was over closing time and they had to cut the call short (which I understand). I asked them whether HP USA could help me further as they are 24/7. The Dutch support line said no as they use the same internal support KB.

I was getting late and quickly went to the shops to grab some food before they all closed. Some cooking later, I was looking at the software being used by HP for the encryption. HP ProtectTools uses a branded version of Safeboot (www.safeboot.com, now owned by McAfee). I again searched the internet but didn’t find a lot of useful stuff. One forum post noted the name (which I can’t say according to HP) of a recovery solution used by enterprises.

Via sources (I’m not allowed to say which ones according to HP) I got my hands on the decryption DVD. Great! Quickly inserted the disc and booted the system yet again. “Please enter daily 4 digit code”. Oh .. euh. 1234 .. nope. Tried some other numbers and couldn’t guess the number. I opted to cancel and the recovery app locked down. It had one other option “Activation via HP backup”. Hey! I have that. Inserted my USB stick and selected the file. “Valid”. Awesome! .. “Now please enter 4 digit daily code”. Arghh.

Looked up the support number for the Safeboot tool. The Dutch number was disconnected as McAfee had bought them. When trying the US number, I got connected to McAfee Enterprise support. I opted for Safeboot support. 1 minute waiting later, I had a tech person on the line. I explained my situation and stated I had the software. Just needed the key. The kind sir explained nicely to me they couldn’t give me the key without the proper SLAs. I understood however still lame the only thing holding me is a 4 digit code which the guy had displayed on his screen but couldn’t give me. I tried asking real real nice. Nope .. no go. He advised me to ring up HP USA.

So I did. Got disconnected 3 times whilst waiting (and having to pass the horrible voice-activated menu’s, what’s wrong with keyinput?) and had to wait another 15 minutes. Ultimately I got my tech person on the phone. Took about half an hour to explain the situation. Of course the ma’am couldn’t find anything in the KB either. I also explained my situation was urgent and I had to have the drive back before 9AM next morning. She would “look into it and do some research” while I would wait on hold (with the WORST waiting music EVER). I waited for up a to an hour. She was no help and couldn’t find anything. It took her over 90 minutes to realize with the Dutch guy did in 15 minutes. Ultimately she rang McAfee USA again and we had a little conference call (after I waited another 30 minutes whilst she was explaining the situation to McAfee). Ultimately I had the McAfee tech guy on the phone but again just like before, they couldn’t do anything for me.

I thanked them both and hang up (as waiting any longer or making a escalation ticket would be pointless and take way too long).  Nearly 5 hours of calling, waiting and being disconnected, I was no further in my quest to unlock my harddrive.

Another desperate 15 minutes of Googling and ringing up 4 IT Pro’s out of their beds, I gave up. I decided the best thing to do, was to wipe the harddrive and install a clean image. As I was using special software for the demo the following day, I couldn’t just use a backup. I had to reinstall from scratch. Of course all my documents and vital information was backed up to external hdd, LAN share and trusty Sharepoint sites so that wasn’t a too big a problem. However I did took me another couple of hours to setup the demo software again from scratch. By the time I got in bed, it was nearly 4AM.

The following day I got up at 7AM and give my demo at 9AM using my cleanly installed software (which went great dispite the 3 hours of sleep). Stayed on location till 6PM. After that I went to a friends house for dinner. Fixed his internet and had a good time. By the time I was back in my bed, it was 3AM/4AM.

So basically HP is providing a encryption solution they cannot support or recover for you in case something should go wrong. There are no external decryption tools provided. If you are using HP ProtectTools Drive Encryption right now, I really suggest turning it off and migrating away from the solution. At the very least, find some way to backup your bootloader containing the decryption software.

As for the recovery service which SafeBoot is providing for HP.. It’s a yearly fee to store your (kinda useless) recovery key online and a support service (allowing you to ring the 2 McAfee persons I talked to earlier directly). I asked McAfee whether that would have saved me in my situation had I taken up the subscription. The short answer: No. They only provide you your key and provide support for resetting the password remotely. They don’t provide support when your bootloader committed suicide.

I’m never ever using full drive encryption software by HP again! Perhaps HP could have given me a better solution had I waited a couple of days so they could escalate the problem to other departments and McAfee. I didn’t have the luxury of time, and you might not too when things go wrong. Stay away from HP Drive Encryption solutions (or anything Safeboot related).

One small note: I heard that Safeboot supported the HP software directly via their own helpdesk line thus unloading complex support calls to the HP helpdesk. However McAfee bought Safeboot in 2007. The HP agreement still stands but support is limited to enterprise SLA holders only.

  1. 15 Responses to “HP harddisk encryption software and me…”

  2. I´m using this discryptor.net encryption tool. It is userfriendly, really fast and with explorer integration.

    By Teree on Apr 26, 2009

  3. You are not the only one with this problem. HP Protect Tools and their disk encryption stuff is utter piece of crap.

    Basically if someone has enough time and money, they should put HP to court and sue their incompetent asses due to data loss.

    Basically they are lazy stupid bastards. If they make stupid full of bugs software they should at least put some recovery tool on their website which is easy to be used. And the only thing a user would need for this tool to work is a backup of the encryption key. No PINs, no stupid calls to stupid support people and so on.

    Stupid and incompetent HP idiots.

    By Ogo on Sep 21, 2009

  4. Thanks for sharing with us..very useful and interesting..keep posting

    By sensiguard on Oct 14, 2009

  5. I am having the same problem now. I had some problems with Windows XP (after updating) and then I decided to reinstall the OS. Surprise… After installing all the software I had the pleasant surprise of not seeing an entire partition of my hard drive. All my important work is now gone and I can do nothing to get it back. I called HP and they told me that I can’t do nothing to get it back. So I think it would be wise to use the F word when talking about their “encryption system”. I wish you all a good year (2010) without any HP tools.

    Goodbye and good luck!

    By Neo on Nov 24, 2009

  6. Year 2011 and HP still “going strong”.
    MBR or something lost just after enabling encryption and reboot from Windows7.
    Now I have a useless USB key with useless certificate and “well encrypted” harddrive with only visible content being “Operating system starting…”
    Ah, of course I have the experience of never trusting HP (labeled) software again, but I doubt if this is of any user either…

    By Mihkel on Jan 15, 2011

  7. I have a client that has inadvertently dropped their laptop and toasted their MBR.. After a ton of googling, Ive managed to find the 4 digit code needed (and the date to set the system to to fool the system into allowing that code) but I cant find the software iso ot the WinPE plugin that everyone keeps talking about on the forums,

    Of course previous to the incident we managed to convince the customer to use online services to keep backup copies of his data.. however, they dont backup PST files.

    The thing that irritates me most about the entire thing is that if you look into the HP KB (as many people would find whilst googling) its first instruction is to blow the MBR away (using /fixmbr)… even worse when I speak to HP their instructions for removing encryption I was told to simply delete the c:\program files\HP protect tools\ Folder (talk about misinformation) even after advising the rep I’m HP certified and that doing that would make things worse and that I cant start windows at all. She advised that she would send through instructions from the senior team of mounting the drive..

    The instructions arrived.. and low and behold!

    “Step 1: Delete the HP Protect Tools folder
    =======================
    1. Click the Start Button ….

    To her credit, the staff were extremely patient and willing to help. It would just be nice that when HP go an offer non standard encryption techniques on something as fickle and un-reliable as a mechanical hard drive that they would provide downloads on their online website for recovery.

    By James on Jul 12, 2011

  8. Hi,

    I installed the drive encryption tools, and it ran ok for about 2 weeks. i updated some win7 security patches, and windows 7 broke. it would not boot up, and got stuck in the repair cycle. trying to log in with the USB key was of no use. I have lost all my data, but as i had a backup, it was not too bad.

    I took the drive out of my machine, and put another drive in, re-installed, and am working with no encryption. However, my 500GB hard drive is inaccessible via USB, either with Windows or Ubuntu Live CD, but cannot access the partition, drive, etc., as i get i/o errors, presumably as the drive is still encrypted.

    All i want to do, is wipe the drive, re-partition it, and have a usable drive.

    any ideas would be greatly appreciated.

    regards
    Marc

    By Marc on Oct 13, 2011

  9. yeah, hp fucked it up! dont use this fecking bu**t encryption. you will never find a way to recover anything !

    i send a harddrive to a prof rescuer: no chance. and the fecking key backup on the usb stick doesnt work!

    feck ya HP !

    By darky on Nov 22, 2011

  10. Even after 3 year HP or McAfee didn’t come up with any solution to this problem. I faced the same last week and gave my maching to HP service centre and got a simple answer that there is no solution to it. I lost all my data and now meeting lawyers to take legal action against HP.

    By NAVI on Apr 7, 2012

  11. I think I see all the situation on a slightly different way than you.

    It’s really unfortunate to have a computer dropped and as a result a faulty HD, or having the boot record changed and loose access to the contents of the HD.

    But is not exactly this that you expect from the disk encryption ? You say that you couldn’t in any way access the data, and that’s what I look for when I seek for drive encryption !

    All you said, and the other comments prior do mine, all this speaks towards the HP drive encryption, and not against it !

    By Carlos "deepblue" Fraga on May 4, 2012

  12. This piece of unexpectable illusion of encryption annoyed me so much…

    I made backup from Live MINT USB and now GHOSTing..

    By Gutzer on Oct 24, 2012

  13. Thank you very much for sharing! I will never use this program and I am glad that I have never used it before.

    By Sergey on Feb 9, 2013

  14. @ Carlos “deepblue” Fraga:

    No. That is not what i expect from the drive encryption. The encryption works, no question about that. But it’s absolutely not acceptable that, if for some reason the MBR is deleted or changed in any other way, i can’t even access the INTERFACE/TOOL to decrypt my drive and no one can help me recovering or rewriting the lost MBR record. This would be no security issue at all…

    By Dave on Jun 13, 2013

  15. I was just about to turn on HP drive encryption … I don’t think I will now. They might have fixed the problem but it just isn’t worth the risk. Thank you for posting, Martijn.

    By Bob on Sep 2, 2014

  16. It is now 2015 and it is still not possible to recover from MBR corruption. And it wasn’t even my fault, Windows Update toasted the system. I won’t ever use the HP full disk encryption again and I will never recommend an HP computer to anyone, on the off chance that they might accidentally enable the encryption.

    By Dan on Mar 9, 2015

Post a Comment