a while ago, I successfully removed the drive encryption (HP-Protect Tools)form the main disk of my notebook (2 partitions) by using a BartPE SafebootWintech CD and forced decryption.
The second partition on the second drive got encrypted as well; at leastthere is a "SAFEBOOT" string in the beginning of the second sector ofthe second disk and the data on that partition is not accessible (and it lookslike having high entropy). So I presume it was encrypted using the sameencryption key as the first disk.
Since getting on the data on that disk wasn't that essential so far and themethod I used took about a week for the first drive (only about 512 KB/sdecryption speed) I postponed encryption for that drive.
Yesterday, I started a decryption attempt after discovering that Virtual Boxcan access disks directly. So I created a drive configuration for Virtual Boxthat enables it to access the encrypted drive directly from the guest VM, bootedthe BartPE Safeboot Wintech ISO in a guest VM and started to decrypt the drive.
Using the same key as for the first drive, did not work (the data still"looks" encrypted), and now I am a bit puzzled.
Here is some additional background:
The partitions of my primary disk (containing the system partition) wereencrypted again using the HP-Protect Tools. Since I noticed that I can readplain raw data from these disks using a disk editor (in Windows), I guess thedisk's raw data must be decrypted (safeboot driver) before it is passed to thedisk editor. I wonder whether this driver now interferes with the decryptionprocess in the VM.
The data from the second disk (that I am trying to decrypt in the VM) maystill be piped through the safeboot driver which maybe also "decrypts"that data (possibly even with the wrong key). Note that there are some remainsof safeboot (encryption states?) in some of the second disk's sectors.
Another fact I noticed is that a "normal" (i.e. unforced)decryption does not alter the data at all, i.e. it looks like the system thinksthey are already decrypted. Encryption (and consecutive decryption), howeverdoes alter the data.
So now I wonder whether the VM based decryption could work at all in case ofan already re-encrypted host system (as described).