Bugs & Fixes: Beware OS X 10.6.5 and PGP WDE protected drive

If you are using PGP Whole Disk Encryption, beware of updating to Mac OS X 10.6.5. PGP Technical Support has issued the following alert:

“Mac OS X PGP WDE customers should not apply the recent Mac OS X 10.6.5 update. Compatibility issues may prevent the system from successfully booting. In the interim, customers can accomplish the upgrade safely if the PGP Whole Disk Encrypted system system is first decrypted, then apply the Mac OS X 10.6.5 update and then re-encrypt.”

If this advice comes too late because you’ve already updated to Mac OS X 10.6.5 and find yourself with an unbootable drive, PGP Technical Support recommends you do the following:

1. Boot the system using the PGP Recovery CD [download link].

2. When prompted, authenticate with your passphrase. Do not press D to decrypt. Press another key (e.g., spacebar) to boot into Mac OS X normally.

3. Once logged into Mac OS X, PGP Desktop will automatically fix the boot issue and you should no longer need the recovery CD.

4. Download the script “PGPwdeEFIUpdate.sh” to your desktop [download link]. (This script makes a needed backup of the correct version of the boot.efi file, which is used should you ever choose to decrypt your WDE-encrypted startup disk. Note that this script will also set the currently running startup disk as the default for future system restarts.)

5. Open terminal and navigate to your desktop directory by typing “cd ~/Desktop” and pressing enter.

6. Type in the command “chmod 755 PGPwdeEFIUpdate.sh” and press enter.

7. Type in the command “sudo./PGPwdeEFIUpdate.sh” and press enter.

Although some postings at Apple’s Discussion Forums suggest decrypting the disk at Step 2 above (via pressing the D key), PGP Technical Support makes it very clear that this should not be done: “Doing so will result in your Mac OS X system using an older version of bootloader”—likely causing more problems.

Another thread in Apple’s forums has links to other PGP site locations (such as this one) that offer similar solutions for disk recovery. However, the above cited instructions are specific to the 10.6.5 issue and should be sufficient.

Otherwise, the remaining solution is to restore your drive from a current mirrored backup—one that has not yet been updated with the 10.6.5 software. Of course, this assumes you have such a backup.

The source of the boot failure is that the PGP-modified copy of the Mac’s boot.efi file—required for a successful startup—is overwritten when updating to Mac OS X 10.6.5. The ultimate solution is to be able to update Mac OS X on a PGP-protected drive without overwriting the PGP portion of the boot.efi. PGP has promised to offer something of this sort “as soon as a solution has been identified.”

Updated 10:30AM 11/12/10 to include additional steps per PGP's updated KnowledgeBase note.

Product mentioned in this article

(1 items)

Subscribe to the MacWeek Newsletter

Comments