BitLocker Full Disk Encryption



Notes and Instructions for Support Personnel

Key Recovery

Access to recovery keys is limited by Active Directory group membership, and special authorization is required to become a member of this group. Membership will be limited to support personnel as needed.

Queries can be done from a Linux system using a Perl script. This script will need a list of hostnames, it will need information and an account to connect to the AD server. Here is the perl script.

The VB Script Get-BitLockerRecoveryInfo.vbs can be used from a Windows computer to acquire keys for a host computer. The script accepts two parameters. The first parameter is the hostname of the system. The second parameter is a drive letter referencing a USB memory device.

Download the VB Scritps to your computer desktop. Open a command prompt and change directory to D:\UserData\Desktop\. The VB Script should be executed at a command prompt. Select "Start", type "cmd.exe" and press "Enter" to execute a command prompt window. We recommend running the scirpt with "cscript" so that all the output will be written to the same command window. Type cscript Get-BitLockerRecoveryInfo.vbs [hostname] [drive:] to execute this script. The following example will acquire the keys for the host "hostname1". 


D:>cscript Get-BitLockerRecoveryInfo.vbs hostname1
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Accessing object: LDAP://CN=BITLOCKER-1,OU=Test Computer Policies,OU=WFU_Testing,DC=deacnet,DC=wfu,DC=edu
Recovering key for 283164E2-014E-4DE4-A81B-EAFC3BCD537C
Recovering key for 1D81B570-5AFA-4CB3-B1FC-0433D1FBAEE8
Recovering key for E9067609-8A5C-4A92-B9C2-64B130F84FEE
Recovering key for E35F2F4B-6330-4302-A7A1-2534099A60A9
Finished

D:>



The VB Script SearchFor.vbs will search Active Directory for a particular Recovery Key ID. The text, B2229EAA-922C-4A1B-8793-CBD7B5A23BA8 is an example a Recovery Key ID. So, you would execute the script as: CScript.exe SearchForKey.vbs B222 D: This will look for a Recovery Key ID in Active Directory that begins with B222. If found, A file containing the recovery key will be written to the D: drive. 

D:\UserData\Desktop\bitlocker>cscript SearchForKey.vbs b22 D:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

search mask: b22
drive mask: D:

Creating recovery file: D:\BitLocker Recovery Key B2229EAA-922C-4A1B-8793-CBD7B5A23BA8.TXT

       BitLocker Guid: B2229EAA-922C-4A1B-8793-CBD7B5A23BA8
    Recovery Password: 709023-900471-874098-098779-987766-762119-87651345-165439

D:\UserData\Desktop\bitlocker>

Notes and Instructions for Administrators

Key Escrow

Complete the following procedures to specify the recovery methods for each type of drive.
  • Open the group policy editor for the Active Directory domain.

    Escrow Enforcement & Cipher Strength

    1. Under Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click 'BitLocker Drive Encryption'.
    2. To configure default recovery options for Bitlocker, in the details pane, double-click 'Store BitLocker recovery information in Active Directory Domain Services' to open the policy setting. If this policy setting is diabled or not configured, BitLocker recovery information will not be backed up to AD DS.
    3. To specify different recovery options, click Enabled, and then configure the following settings as shown:
    4. To configure default cipher strength for Bitlocker, in the details pane, double-click 'Choose drive encryption method and cipher strength' to open the policy setting. If this policy setting is diabled or not configured, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.
    5. To specify different cipher strength, click Enabled, and then configure the following settings as shown:

    C: Drive

    1. Under Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click 'Operating System Drives'. Note: This will not include D: drive.
    2. To configure recovery options for operating system drives, in the details pane, double-click 'Choose how BitLocker-protected operating system drives can be recovered' to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn on BitLocker, and recovery information is not backed up to AD DS.
    3. To specify different recovery options, click Enabled, and then configure the following settings as shown:

    D: Drive

    1. Under Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click 'Fixed Data Drives'.
    2. To configure recovery options for fixed data drives, in the details pane, double-click 'Choose how BitLocker-protected fixed drives can be recovered' to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn on BitLocker, and recovery information is not backed up to AD DS.
    3. To specify different recovery options, click Enabled, and then configure the following settings as shown:

    Removable Media

    1. Under Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click 'Removable Data Drives'.
    2. To configure recovery options for removable data drives, in the details pane, double-click 'Choose how BitLocker-protected removable data drives can be recovered' to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn on BitLocker, and recovery information is not backed up to AD DS.
    3. To specify different recovery options, click Enabled, and then configure the following settings as shown: