Why must a machine be decrypted from PGP before it can be reimaged? Or have I been misinformed?

I don't see the point of decrypting it first either.
Encrypted data is, for all intends and purposes, just random noise.
(If it isn't you're not doing it right...)

Provided the re-image is done with a full-disk image, which includes the bootloader/bootsector and sets the end of the last partition properly to the end of the disk if the disk happens to be larger than the image itself there is really no difference between doing a re-image with or without decrypting first.

In fact: If you decrypt first and then re-image with an image that DOESN'T cover the entire disk you will actually expose old data !
So decrypting is a security risk in that case.

Whoever came up with that policy to decrypt first must be shot, drawn and quartered IMHO.
It is a useless waste of time and effort. And a possible security risk.

Tonny

Posted 2013-05-01T21:28:52.600

Reputation: 19 919

I think it has something to do with the bootloader. Could you elaborate on why this would be a problem and why it may not be included in an image (i.e. it's some how hard to backup)? – Celeritas – 2013-05-01T23:05:00.777

Oh geez! That is a horrible policy. "you will actually expose old data !" Is 100% right! – Austin T French – 2013-05-01T23:51:42.367

1@Celeritas If the image doesn't include a fresh bootloader it might be a problem. It's not hard to include the bootloader in the image (its a standard feature of imaging tools), but if the image wasn't designed to include the loader you can't add it to the image afterwards. So if you can't re-create the image (with loader included), you will have to use FDISK /MBR to set a fresh empty one, before restoring the image... Decrypting is still non-sense. – Tonny – 2013-05-02T08:24:59.463

Why must a machine be decrypted from PGP before it can be reimaged? Or have I been misinformed?

Answers