加密恢复数据Encrypt recovery data

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

创建 BitLocker 管理策略时,Configuration Manager 会将恢复服务部署到管理点。When you create a BitLocker management policy, Configuration Manager deploys the recovery service to a management point. 在 BitLocker 管理策略的“客户端管理”页上,客户端会在你配置 BitLocker 管理服务时将密钥恢复信息备份到站点数据库 。On the Client Management page of the BitLocker management policy, when you Configure BitLocker Management Services, the client backs up key recovery information to the site database. 此信息包括 BitLocker 恢复密钥、恢复包和 TPM 密码哈希。This information includes BitLocker recovery keys, recovery packages, and TPM password hashes. 用户被锁定导致用户无法访问其受保护设备时,你可以使用此信息来帮助他们恢复对设备的访问。When users are locked out of their protected device, you can use this information to help them recover access to the device.

鉴于此信息的敏感性,需要在以下情况下对其进行保护:Given the sensitive nature of this information, you need to protect it in the following circumstances:

  • Configuration Manager 需要在客户端与恢复服务之间建立 HTTPS 连接,用于加密网络中传输的数据。Configuration Manager requires an HTTPS connection between the client and the recovery service to encrypt the data in transit across the network. 共有两个选项:There are two options:

    • 使用 HTTPS 在托管恢复服务的管理点上(而不是在整个管理点角色上)启用 IIS 网站。HTTPS-enable the IIS website on the management point that hosts the recovery service, not the entire management point role. 该选项仅适用于 Configuration Manager 版本 2002。This option only applies to Configuration Manager version 2002.

    • 配置 HTTPS 管理点。Configure the management point for HTTPS. 在管理点的属性中,“客户端连接”设置必须是 HTTPS 。On the properties of the management point, the Client connections setting must be HTTPS. 该选项适用于 Configuration Manager 版本 1910 或 2002。This option applies to Configuration Manager versions 1910 or 2002.

      备注

      目前不支持增强型 HTTP。It currently doesn't support Enhanced HTTP.

  • 在将数据存储在站点数据库中时,还可以考虑加密此数据。Consider also encrypting this data when stored in the site database. 如果你安装了 SQL 证书,Configuration Manager 会用 SQL 加密数据。If you install a SQL certificate, Configuration Manager encrypts your data in SQL.

    如果不希望创建 BitLocker 管理加密证书,请选择加入恢复数据的纯文本存储。If you don't want to create a BitLocker management encryption certificate, opt-in to plain-text storage of the recovery data. 创建 BitLocker 管理策略时,请启用“允许以纯文本格式存储恢复信息”选项 。When you create a BitLocker management policy, enable the option to Allow recovery information to be stored in plain text.

    备注

    另一个安全层是加密整个站点数据库。Another layer of security is to encrypt the entire site database. 如果在数据库上启用了加密,则 Configuration Manager 中没有任何功能问题。If you enable encryption on the database, there aren't any functional issues in Configuration Manager.

    请谨慎加密,尤其是在大型环境中。Encrypt with caution, especially in large-scale environments. 根据所加密的表以及 SQL 的版本,你可能会注意到性能下降高达 25%。Depending upon the tables you encrypt and the version of SQL, you may notice up to a 25% performance degradation. 更新备份和恢复计划,以便成功恢复加密数据。Update your backup and recovery plans, so that you can successfully recover the encrypted data.

证书要求Certificate requirements

HTTPS 服务器身份验证证书HTTPS server authentication certificate

在 Configuration Manager 当前分支版本 1910 中,要集成 BitLocker 恢复服务,需要使用 HTTPS 启用管理点。In Configuration Manager current branch version 1910, to integrate the BitLocker recovery service you had to HTTPS-enable a management point. 需要 HTTPS 连接才能加密网络中从 Configuration Manager 客户端到管理点的恢复密钥。The HTTPS connection is necessary to encrypt the recovery keys across the network from the Configuration Manager client to the management point. 对于许多客户而言,为 HTTPS 配置管理点和所有客户端可能比较困难。Configuring the management point and all clients for HTTPS can be challenging for many customers.

从版本 2002 开始,只有托管恢复服务的 IIS 网站才需要满足 HTTPS 要求,而不是整个管理点角色都需要满足。Starting in version 2002, the HTTPS requirement is for the IIS website that hosts the recovery service, not the entire management point role. 此更改放宽了证书要求,并且仍会加密传输中的恢复密钥。This change relaxes the certificate requirements, and still encrypts the recovery keys in transit.

现在,管理点的“客户端连接”属性可以是“HTTP”或“HTTPS” 。Now the Client connections property of the management point can be HTTP or HTTPS. 如果为 HTTP 配置了管理点,那么要支持 BitLocker 恢复服务,请执行以下操作 :If the management point is configured for HTTP, to support the BitLocker recovery service:

  1. 获取服务器身份验证证书。Acquire a server authentication certificate. 将证书绑定到托管 BitLocker 恢复服务的管理点上的 IIS 网站。Bind the certificate to the IIS website on the management point that hosts the BitLocker recovery service.

  2. 将客户端配置为信任服务器身份验证证书。Configure clients to trust the server authentication certificate. 有两种方法可实现此信任:There are two methods to accomplish this trust:

    • 使用公共和全局受信任的证书提供程序提供的证书。Use a certificate from a public and globally trusted certificate provider. 例如(但不限于)DigiCert、Thawte 或 VeriSign。For example, but not limited to, DigiCert, Thawte, or VeriSign. Windows 客户端包括来自这些提供程序的受信任的根证书颁发机构 (CA)。Windows clients include trusted root certificate authorities (CAs) from these providers. 通过使用其中一个提供程序发布的服务器身份验证证书,客户端会自动信任该证书。By using a server authentication certificate that's issued by one of these providers, your clients should automatically trust it.

    • 使用组织的公钥基础结构 (PKI) 中 CA 颁发的证书。Use a certificate issued by a CA from your organization's public key infrastructure (PKI). 大多数 PKI 实现会向 Windows 客户端添加受信任的根 CA。Most PKI implementations add the trusted root CAs to Windows clients. 例如,在组策略中使用 Active Directory 证书服务。For example, using Active Directory Certificate Services with group policy. 如果从客户端不自动信任的 CA 颁发服务器身份验证证书,请将 CA 受信任的根证书添加到客户端。If you issue the server authentication certificate from a CA that your clients don't automatically trust, add the CA trusted root certificate to clients.

提示

唯一需要与恢复服务进行通信的客户端是计划作为 BitLocker 管理策略的目标且包括客户端管理规则的客户端 。The only clients that need to communicate with the recovery service are those clients that you plan to target with a BitLocker management policy and includes a Client Management rule.

在客户端上,使用 BitLockerManagementHandler.log 对此连接进行故障排除 。On the client, use the BitLockerManagementHandler.log to troubleshoot this connection. 对于与恢复服务的连接,该日志显示客户端正在使用的 URL。For connectivity to the recovery service, the log shows the URL that the client is using. 找到以 Checking for Recovery Service at 开头的条目。Locate an entry that starts with Checking for Recovery Service at.

备注

如果站点有多个管理点,请对该站点中可能与 BitLocker 托管客户端通信的所有管理点启用 HTTPS。If your site has more than one management point, enable HTTPS on all management points at the site with which a BitLocker-managed client could potentially communicate. 如果 HTTPS 管理点不可用,客户端可能会故障转移到某个 HTTP 管理点,然后在托管其恢复密钥时会失败。If the HTTPS management point is unavailable, the client could fail over to an HTTP management point, and then fail to escrow its recovery key.

此建议适用于这两个选项:为 HTTPS 启用管理点,或启用在管理点上托管恢复服务的 IIS 网站。This recommendation applies to both options: enable the management point for HTTPS, or enable the IIS website that hosts the recovery service on the management point.

SQL 加密证书SQL encryption certificate

对 Configuration Manager 使用此 SQL 证书,以加密站点数据库中的 BitLocker 恢复数据。Use this SQL certificate for Configuration Manager to encrypt BitLocker recovery data in the site database. 可以按自己的流程创建和部署 BitLocker 管理加密证书,前提是它满足以下要求:You can use your own process to create and deploy the BitLocker management encryption certificate, as long as it meets the following requirements:

  • BitLocker 管理加密证书的名称必须是 BitLockerManagement_CERTThe name of the BitLocker management encryption certificate must be BitLockerManagement_CERT.

  • 使用数据库主密钥加密此证书。Encrypt this certificate with a database master key.

  • 以下 SQL 用户需要证书的“控制”权限 :The following SQL users need Control permissions on the certificate:

    • RecoveryAndHardwareCoreRecoveryAndHardwareCore
    • RecoveryAndHardwareReadRecoveryAndHardwareRead
    • RecoveryAndHardwareWriteRecoveryAndHardwareWrite
  • 在层次结构中的每个站点数据库上部署同一证书。Deploy the same certificate at every site database in your hierarchy.

  • 在环境中通过最新版本的 SQL Server 创建证书。Create the certificate with the latest version of SQL Server in your environment. 例如:For example:

    • 通过 SQL Server 2016 或更高版本创建的证书与 SQL Server 2014 或更低版本兼容。Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier.
    • 通过 SQL Server 2014 或更低版本创建的证书与 SQL Server 2016 或更高版本不兼容。Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later.

示例脚本Example scripts

这些是 SQL 示例脚本,用于在 Configuration Manager 站点数据库中创建和部署 BitLocker 管理加密证书。These SQL scripts are examples to create and deploy a BitLocker management encryption certificate in the Configuration Manager site database.

创建证书Create certificate

此示例脚本执行以下操作:This sample script does the following actions:

  • 创建证书Creates a certificate
  • 设置权限Sets the permissions
  • 创建数据库主密钥Creates a database master key

在生产环境中使用此脚本之前,请更改以下值:Before you use this script in a production environment, change the following values:

  • 站点数据库名称 (CM_ABC)Site database name (CM_ABC)
  • 用于创建主密钥的密码 (MyMasterKeyPassword)Password to create the master key (MyMasterKeyPassword)
  • 证书到期日期 (20391022)Certificate expiry date (20391022)
USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN
    CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
    WITH SUBJECT = 'BitLocker Management',
    EXPIRY_DATE = '20391022'

    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

备份证书Back up certificate

此示例脚本用于备份证书。This sample script backs up a certificate. 将证书保存到文件中后,可以将其还原到层次结构中的其他站点数据库。When you save the certificate to a file, you can then restore it to other site databases in the hierarchy.

在生产环境中使用此脚本之前,请更改以下值:Before you use this script in a production environment, change the following values:

  • 站点数据库名称 (CM_ABC)Site database name (CM_ABC)
  • 文件路径和名称 (C:\BitLockerManagement_CERT_KEY)File path and name (C:\BitLockerManagement_CERT_KEY)
  • 导出密钥密码 (MyExportKeyPassword)Export key password (MyExportKeyPassword)
USE CM_ABC
BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT'
    WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
        ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')

重要

将导出的证书文件和关联密码存储在安全位置。Store the exported certificate file and associated password in a secure location.

还原证书Restore certificate

此示例脚本从文件中还原证书。This sample script restores a certificate from a file. 按此流程部署在另一个站点数据库上创建的证书。Use this process to deploy a certificate that you created on another site database.

在生产环境中使用此脚本之前,请更改以下值:Before you use this script in a production environment, change the following values:

  • 站点数据库名称 (CM_ABC)Site database name (CM_ABC)
  • 主密钥密码 (MyMasterKeyPassword)Master key password (MyMasterKeyPassword)
  • 文件路径和名称 (C:\BitLockerManagement_CERT_KEY)File path and name (C:\BitLockerManagement_CERT_KEY)
  • 导出密钥密码 (MyExportKeyPassword)Export key password (MyExportKeyPassword)
USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN

CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
FROM FILE  = 'C:\BitLockerManagement_CERT'
    WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
        DECRYPTION BY PASSWORD = 'MyExportKeyPassword')

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

验证证书Verify certificate

使用此 SQL 脚本验证 SQL 是否成功创建了具有所需权限的证书。Use this SQL script to verify that SQL successfully created the certificate with the required permissions.

USE CM_ABC
declare @count int
select @count = count(distinct u.name) from sys.database_principals u
join sys.database_permissions p on p.grantee_principal_id = u.principal_id or p.grantor_principal_id = u.principal_id
join sys.certificates c on c.certificate_id = p.major_id
where u.name in('RecoveryAndHardwareCore', 'RecoveryAndHardwareRead', 'RecoveryAndHardwareWrite') and
c.name = 'BitLockerManagement_CERT' and p.permission_name like 'CONTROL'
if(@count >= 3) select 1
else select 0

如果证书有效,脚本将返回值 1If the certificate is valid, the script returns a value of 1.

另请参阅See also

有关这些 SQL 命令的详细信息,请参阅以下文章:For more information on these SQL commands, see the following articles: