Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7)
Applies To: Windows 7
This scenario describes how to use a data recovery agent to recover data from a BitLocker-protected drive. Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.
Before you start
To complete the procedures in this scenario:
You must be able to provide administrative credentials.
Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive Encryption Step-by-Step Guide for Windows 7.
Complete the following procedures in order.
To enable BitLocker to use self-signed certificates
Click Start, type regedit in the Search programs and files box, right-click regedit.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In Registry Editor, navigate to \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.
On the Registry Editor menu, click Edit, point to New, and then click DWORD (32-bit) Value.
Type SelfSignedCertificates, and then press ENTER to create the SelfSignedCertificates key value.
Right-click SelfSignedCertificates, and then click Modify.
In Value data, type 1.
BitLocker can now use self-signed certificates.
To obtain a self-signed certificate to test BitLocker and data recovery agents
Open a text editor such as Notepad, and paste the following information into a new file:
Subject = "CN=BitLockerDRA"
KeyLength = 2048
ProviderName = "Microsoft Smart Card Key Storage Provider"
KeySpec = "AT_KEYEXCHANGE”
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
Save the file with the name bldracert.txt.
Insert a smart card into the smart card reader of the computer.
Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the Command Prompt window, navigate to the location where you saved the blcert.txt file, and type certreq –new bldracert.txt to request a new certificate based on the parameters identified in the file. There may be a slight delay while the request is carried out, and you may be prompted to insert your smart card and type your PIN.
When prompted to save the request file, type a file name, and click Save.
You now have a data recovery agent smart card certificate that is appropriate for use with BitLocker.
To export a BitLocker DRA certificate
Click Start, and then type certmgr.msc to open the Certificates snap-in.
In the console tree, expand Personal, and then click Certificates.
Double-click the BitLockerDRA certificate to display the certificate properties sheet.
Click the Details tab, and then click Copy to File to start the Certificate Export Wizard.
On the Welcome to the Certificate Export Wizard page, click Next.
On the Export Private Key page, verify that No, do not export the private key is selected, and then click Next.
On the Export File Format page, verify that DER encoded binary x.509 (.CER) is selected, and then click Next.
On the File to Export page, click Browse to display the Save as dialog box. In File name, type BitLockerDRA. In Save as type, verify that DER Encoded Binary X.509 (.cer) is selected, and then click Save to return to the File to Export page. The File name box on the wizard page should now display the path to the BitLockerDRA.cer file in your document library. Click Next.
On the Completing the Certificate Export Wizard page, verify that the information displayed is correct, and then click Finish.
When the certificate has been exported, the Certificate Export Wizard dialog box will be displayed with the message The export was successful. Click Close to close the dialog and the wizard.
To add a BitLocker data recovery agent and unlock a drive
Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption, and then click Add Data Recovery Agent to start the Add Recovery Agent Wizard.
On the Select Recovery Agents page, click Browse Folder to select the BitLockerDRA.cer file you exported in the previous procedure. If you did not need to export a certificate because you already had deployed a PKI with the necessary certificates, click Browse directory to choose a certificate from Active Directory Domain Services.
If you are prompted to install the certificate, click Yes. You can repeat this process as necessary to add multiple data recovery agents. After all data recovery agent certificates you want to use have been specified, click Next.
On the Completing the Recovery Agent Wizard page, click Finish to add the data recovery agent.
If you have not configured the Group Policy setting to specify the BitLocker identification field, complete Scenario 10: Configuring the BitLocker Identification Field (Windows 7) before continuing with this scenario.
Encrypt a data drive as described in Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7). For a data recovery agent to be able to unlock a drive, the BitLocker identification field must be present and match the identification field defined for your organization.
To put the drive into a locked state so that you can test the data recovery agent, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. Type the following command, replacing Volume with the drive letter of the BitLocker-protected drive you want to lock:
Manage-bde –lock Volume:
Do not close the Command Prompt window.
Now that the drive is locked, you can unlock it by using the data recovery agent. First, you need the certificate thumbprint of the data recovery agent. To find this, at the command prompt, type the following command, replacing Volume with the drive letter of the BitLocker-protected drive you want to unlock:
Manage-bde –protectors –get Volume:
The key protectors identified for the drive are displayed. Find the key protector identified as Data Recovery Agent (Certificate Based), and record the certificate thumbprint.
To unlock the drive, type the following command, replacing CertificateThumbprint with the actual certificate thumbprint of the data recovery agent recorded in the previous step:
Manage-bde –unlock Volume: -cert –ct CertificateThumbprint -PIN
Enter your smart card PIN when prompted. The drive is unlocked.
By completing the procedures in this scenario, you have assigned data recovery agents to BitLocker and used a data recovery agent to unlock a BitLocker-protected drive.