If you would like to read the other parts in this article series please go to
- Using BitLocker to Encrypt Removable Media (Part 1)
- Using BitLocker to Encrypt Removable Media (Part 2)
- Using BitLocker to Encrypt Removable Media (Part 3)
In my previous article, I explained that Windows Server 2008 R2 offers the ability to store BitLocker keys for removable devices within the Active Directory database. Since I have already shown you how to enable the necessary group policy settings that allow BitLocker keys to be stored in the Active Directory, I wanted to conclude the series by showing you how the key recovery process works.
For the sake of this demonstration, let us pretend that one of the big wigs in your organization has placed the only copies of some critically important files onto a BitLocker encrypted flash drive, and that now he has forgotten the drive’s password. What do you do?
The first step in the recovery process is to insert the BitLocker encrypted flash drive into a computer that’s running Windows 7. When you do, the dialog box shown in Figure A appears, and you are asked to enter the password that is used to unlock the drive. Since the password has been forgotten, we must perform a password recovery.
Figure A: Windows prompts you to enter a password to gain access to the encrypted drive
If you look at the figure above, you will notice that it contains a link labeled I Forgot My Password. Clicking on this link takes you to the screen shown in Figure B.
Figure B: Windows provides recovery options that can be used in the event of a forgotten password
As you look at the screen capture above, the thing that really stands out is the option to type a recovery key. Although we will use this option later on, we are not quite ready to use it yet. If you look carefully at the figure above, you will notice a line of text that says: Your Recovery Key Can Be Identified By: 1A8BBF9A. The hexadecimal number that appears at the end of the text string is unique to the flash drive, and can be used to identify the flash drive during the recovery process. You should therefore write down this number, because you are going to need it later on.
Determining the flash drive’s unique identity is only the first step in the recovery process. Now we actually have to retrieve the recovery key from the Active Directory. There is just one minor hurdle standing in our way. Although the recovery key for the flash drive is stored in the Active Directory, we need to have a way of retrieving it. None of the administrative interfaces that are currently installed on our server presently offer this capability.
Installing the BitLocker Recovery Password Viewer
Before you can recover BitLocker recovery keys from the Active Directory, you will have to install a utility called the BitLocker Recovery Password Viewer. Although there is nothing particularly difficult about installing this utility, the option for enabling it is really buried within the Server Manager. I have to confess that even though I knew that the utility existed, I had to look up some instructions on how to enable it because I had so much trouble locating it within the Server Manager.
To install the BitLocker Recovery Password Viewer, open the Server Manager, and select the Features container. Next, click on the Add Features link, which will cause Windows to open the Add Features Wizard. The Add Features Wizard contains a series of checkboxes that are linked to the various features that you can install. There is a BitLocker checkbox on the list, but this is not the option that we need. Instead, scroll down the list of features until you locate the Remote Server Administration Tools option. Expand this option, and then locate a sub option called Feature Administration Tools. Expand the Feature Administration Tools and then select the BitLocker Drive Encryption Administration Utilities check box. Verify that the check boxes beneath this option are also selected, as shown in Figure C, and then click Next.
Figure C: You must enable the BitLocker Drive Encryption Administration Utilities
Now, click the Next button and you will see a screen providing you with a summary of the features that are about to be installed, along with a warning message that a reboot may be required after the installation process completes. Click the Install button, and the necessary binaries will be installed.
When the installation process completes, Windows will display the Installation Results screen, shown in Figure D. As you can see, Windows tells you which components were installed, but does not force a reboot. I am not sure if a reboot is actually required or not, but I will tell you that after I installed the BitLocker Recovery Password Viewer, I spent several hours trying to recover BitLocker keys. It wasn’t until after I got frustrated and rebooted the server that the recovery process actually began to work.
Figure D: Even though Windows Server does not force a reboot, you may have to reboot the server anyway
The Key Recovery Process
Now that you have finished installing the various administrative tools, you can move forward with the key recovery process. It is worth noting that Windows does not provide you with a standalone interface for key recovery. Instead, key recovery is performed through the Active Directory Users and Computers console.
To recover a BitLocker key, open the Active Directory Users and Computers console, and then right click on the listing for your domain. The resulting shortcut menu will contain a Find BitLocker Recovery Password option, as shown in Figure E.
Figure E: Key recovery is performed through the Active Directory Users and Computers console
When you select the BitLocker Recovery Password option, you will be taken to the Find BitLocker Recovery Password dialog box, shown in Figure F. Remember the eight digit hexadecimal number that uniquely identifies the encrypted drive? This is where you enter that number. Upon doing so, click the Search button and the server will retrieve the drive’s recovery password. If you look at the lower portion of the dialog box, you can see that the recovery password is not the password that the user originally used to encrypt the drive, but rather a 48 digit string of numbers.
Figure F: The recovery key is displayed in the lower portion of the dialog box.
Now that you have the recovery key for the drive, go back to the PC in which you inserted the flash drive, and enter the recovery key into the space provided, as shown in Figure G.
Figure G: Enter the BitLocker recovery key in the space provided.
After you enter the recovery key, you should see a screen similar to the one shown in Figure H, telling you that you have been granted temporary access to the drive. In other words, the drive remains encrypted, and the forgotten password is still in effect. If you were to remove and reinsert the drive at this point, you would have to work through the recovery process all over again unless the user happens to remember the password.
Figure H: Entering the recovery key provides temporary access to the encrypted drive
To avoid having to enter the 48 digit recovery key each time the drive is used, click the Manage BitLocker link. Doing so will take you to the dialog box shown in Figure I, which allows you to change the password that is used to gain access to the drive.
Figure I: After you have gained access to an encrypted drive, you should reset the drive’s password
In this article series, I have explained that BitLocker to Go provides you with an easy way to secure data that is stored on removable media. If you plan to use BitLocker to Go though, you should implement Active Directory based key recovery so as to avoid data loss due to forgotten passwords.
If you would like to read the other parts in this article series please go to