加密復原資料Encrypt recovery data

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

當建立 BitLocker 管理原則時,Configuration Manager 會將復原服務部署到管理點。When you create a BitLocker management policy, Configuration Manager deploys the recovery service to a management point. 在 BitLocker 管理原則的 [用戶端管理] 頁面上,當您 [設定 BitLocker 管理服務] 時,用戶端會將金鑰修復資訊備份至網站資料庫。On the Client Management page of the BitLocker management policy, when you Configure BitLocker Management Services, the client backs up key recovery information to the site database. 這項資訊包含 BitLocker 修復金鑰、復原套件和 TPM 密碼雜湊。This information includes BitLocker recovery keys, recovery packages, and TPM password hashes. 當使用者被鎖在受保護的裝置外時,您可以使用這項資訊來協助使用者復原裝置的存取權。When users are locked out of their protected device, you can use this information to help them recover access to the device.

基於這項資訊的敏感性特質,您必須在下列情況下加以保護:Given the sensitive nature of this information, you need to protect it in the following circumstances:

  • Configuration Manager 需要用戶端與復原服務之間的 HTTPS 連線,才能加密網路中傳輸的資料。Configuration Manager requires an HTTPS connection between the client and the recovery service to encrypt the data in transit across the network. 有兩個選項:There are two options:

    • 針對在管理點上裝載復原服務的 IIS 網站啟用 HTTPS,而不是整個管理點角色。HTTPS-enable the IIS website on the management point that hosts the recovery service, not the entire management point role. 此選項僅適用於 Configuration Manager 2002 版。This option only applies to Configuration Manager version 2002.

    • 設定 HTTPS 的管理點。Configure the management point for HTTPS. 在管理點的屬性上,[用戶端連線] 設定必須是 [HTTPS] 。On the properties of the management point, the Client connections setting must be HTTPS. 此選項適用於 Configuration Manager 1910 或 2002 版。This option applies to Configuration Manager versions 1910 or 2002.

      注意

      目前不支援增強 HTTP。It currently doesn't support Enhanced HTTP.

  • 將此資料儲存在站台資料庫時,也請考慮將其加密。Consider also encrypting this data when stored in the site database. 如果您安裝 SQL 憑證,Configuration Manager 會在 SQL 中加密您的資料。If you install a SQL certificate, Configuration Manager encrypts your data in SQL.

    如果您不想要建立 BitLocker 管理加密憑證,請選擇使用純文字來儲存修復資料。If you don't want to create a BitLocker management encryption certificate, opt-in to plain-text storage of the recovery data. 當您建立 BitLocker 管理原則時,啟用 [允許以純文字格式儲存復原資訊] 選項。When you create a BitLocker management policy, enable the option to Allow recovery information to be stored in plain text.

    注意

    另一層安全性是加密整個網站資料庫。Another layer of security is to encrypt the entire site database. 如果您對資料庫啟用加密,Configuration Manager 就不會有任何功能上的問題。If you enable encryption on the database, there aren't any functional issues in Configuration Manager.

    請謹慎使用加密,特別是在大規模環境中。Encrypt with caution, especially in large-scale environments. 視您加密的資料表和 SQL 版本而定,您可能會發現效能降低近 25%。Depending upon the tables you encrypt and the version of SQL, you may notice up to a 25% performance degradation. 更新您的備份和復原計畫,以便成功復原加密的資料。Update your backup and recovery plans, so that you can successfully recover the encrypted data.

憑證需求Certificate requirements

HTTPS 伺服器驗證憑證HTTPS server authentication certificate

在 Configuration Manager 最新分支 1910 版中,若要整合 BitLocker 復原服務,則必須針對管理點啟用 HTTPS。In Configuration Manager current branch version 1910, to integrate the BitLocker recovery service you had to HTTPS-enable a management point. 需要有 HTTPS 連線,才能從 Configuration Manager 用戶端,將網路上的修復金鑰加密至管理點。The HTTPS connection is necessary to encrypt the recovery keys across the network from the Configuration Manager client to the management point. 對許多客戶而言,設定管理點和所有 HTTPS 用戶端可能會很困難。Configuring the management point and all clients for HTTPS can be challenging for many customers.

從 2002 版開始,HTTPS 需求適用於裝載復原服務的 IIS 網站,而不是整個管理點角色。Starting in version 2002, the HTTPS requirement is for the IIS website that hosts the recovery service, not the entire management point role. 這項變更放寬了憑證需求,但仍然會加密傳輸中的修復金鑰。This change relaxes the certificate requirements, and still encrypts the recovery keys in transit.

現在,管理點的 [用戶端連線] 屬性可以是 HTTPHTTPSNow the Client connections property of the management point can be HTTP or HTTPS. 如果管理點已設定為 HTTP,若要支援 BitLocker 復原服務,請:If the management point is configured for HTTP, to support the BitLocker recovery service:

  1. 取得伺服器驗證憑證。Acquire a server authentication certificate. 將憑證繫結至管理點上裝載 BitLocker 復原服務的 IIS 網站。Bind the certificate to the IIS website on the management point that hosts the BitLocker recovery service.

  2. 將用戶端設定為信任伺服器驗證憑證。Configure clients to trust the server authentication certificate. 有兩種方式可完成此信任:There are two methods to accomplish this trust:

    • 使用來自公用且全球受信任的憑證提供者的憑證。Use a certificate from a public and globally trusted certificate provider. 例如 (但不限於),DigiCert、Thawte 或 VeriSign。For example, but not limited to, DigiCert, Thawte, or VeriSign. Windows 用戶端包含來自這些提供者的受信任的根憑證授權單位 (CA)。Windows clients include trusted root certificate authorities (CAs) from these providers. 使用這些提供者之一發出的伺服器驗證憑證,用戶端應該會自動信任該憑證。By using a server authentication certificate that's issued by one of these providers, your clients should automatically trust it.

    • 使用 CA 根據組織公開金鑰基礎結構 (PKI) 所發出的憑證。Use a certificate issued by a CA from your organization's public key infrastructure (PKI). 大部分 PKI 實作會將信任的根 CA 新增到 Windows 用戶端。Most PKI implementations add the trusted root CAs to Windows clients. 例如,使用搭配群組原則的 Active Directory 憑證服務。For example, using Active Directory Certificate Services with group policy. 如果從用戶端未自動信任的 CA 發出伺服器驗證憑證,則請將 CA 受信任的根憑證新增至用戶端。If you issue the server authentication certificate from a CA that your clients don't automatically trust, add the CA trusted root certificate to clients.

提示

唯一需要與復原服務通訊的用戶端,是您打算使用 BitLocker 管理原則作為目標且包含用戶端管理規則的用戶端。The only clients that need to communicate with the recovery service are those clients that you plan to target with a BitLocker management policy and includes a Client Management rule.

在用戶端上,請使用 BitLockerManagementHandler.log 來針對此連線進行疑難排解。On the client, use the BitLockerManagementHandler.log to troubleshoot this connection. 針對復原服務的連線,該記錄檔會顯示用戶端正在使用的 URL。For connectivity to the recovery service, the log shows the URL that the client is using. 請找出開頭為 Checking for Recovery Service at 的項目。Locate an entry that starts with Checking for Recovery Service at.

注意

如果您的網站有多個管理點,請在受 BitLocker 管理的用戶端可能通訊的網站上,啟用所有管理點上的 HTTPS。If your site has more than one management point, enable HTTPS on all management points at the site with which a BitLocker-managed client could potentially communicate. 如果 HTTPS 管理點無法使用,用戶端可能會容錯移轉 至 HTTP 管理點,繼而無法委付其修復金鑰。If the HTTPS management point is unavailable, the client could fail over to an HTTP management point, and then fail to escrow its recovery key.

這項建議適用於這兩個選項:啟用 HTTPS 的管理點或啟用在管理點上裝載復原服務的 IIS 網站。This recommendation applies to both options: enable the management point for HTTPS, or enable the IIS website that hosts the recovery service on the management point.

SQL 加密憑證SQL encryption certificate

使用此 SQL 憑證,讓 Configuration Manager 加密站台資料庫中的 BitLocker 復原資料。Use this SQL certificate for Configuration Manager to encrypt BitLocker recovery data in the site database. 您可以使用自己的程序來建立和部署 BitLocker 管理加密憑證,只要此憑證符合下列需求:You can use your own process to create and deploy the BitLocker management encryption certificate, as long as it meets the following requirements:

  • BitLocker 管理加密憑證的名稱必須是 BitLockerManagement_CERTThe name of the BitLocker management encryption certificate must be BitLockerManagement_CERT.

  • 使用資料庫主要金鑰加密此憑證。Encrypt this certificate with a database master key.

  • 下列 SQL 使用者需要此憑證的控制權限:The following SQL users need Control permissions on the certificate:

    • RecoveryAndHardwareCoreRecoveryAndHardwareCore
    • RecoveryAndHardwareReadRecoveryAndHardwareRead
    • RecoveryAndHardwareWriteRecoveryAndHardwareWrite
  • 在階層中的每個網站資料庫上部署相同憑證。Deploy the same certificate at every site database in your hierarchy.

  • 在您環境中使用最新版本的 SQL Server 來建立憑證。Create the certificate with the latest version of SQL Server in your environment. 例如:For example:

    • 使用 SQL Server 2016 或更新版本建立的憑證與 SQL Server 2014 或更舊版本相容。Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier.
    • 使用 SQL Server 2014 或更舊版本建立的憑證與 SQL Server 2016 或更新版本不相容。Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later.

範例指令碼Example scripts

這些 SQL 指令碼是在 Configuration Manager 站台資料庫中建立及部署 BitLocker 管理加密憑證的範例。These SQL scripts are examples to create and deploy a BitLocker management encryption certificate in the Configuration Manager site database.

建立憑證Create certificate

這個範例指令碼會執行下列動作:This sample script does the following actions:

  • 建立憑證Creates a certificate
  • 設定權限Sets the permissions
  • 建立資料庫主要金鑰Creates a database master key

在生產環境中使用此指令碼之前,請變更下列值:Before you use this script in a production environment, change the following values:

  • 站台資料庫名稱 (CM_ABC)Site database name (CM_ABC)
  • 建立主要金鑰所用的密碼 (MyMasterKeyPassword)Password to create the master key (MyMasterKeyPassword)
  • 憑證到期日 (20391022)Certificate expiry date (20391022)
USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN
    CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
    WITH SUBJECT = 'BitLocker Management',
    EXPIRY_DATE = '20391022'

    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

備份憑證Back up certificate

此範例指令碼會備份憑證。This sample script backs up a certificate. 將憑證儲存到檔案後,即可將此憑證還原到階層中的其他網站資料庫。When you save the certificate to a file, you can then restore it to other site databases in the hierarchy.

在生產環境中使用此指令碼之前,請變更下列值:Before you use this script in a production environment, change the following values:

  • 站台資料庫名稱 (CM_ABC)Site database name (CM_ABC)
  • 檔案路徑和名稱 (C:\BitLockerManagement_CERT_KEY)File path and name (C:\BitLockerManagement_CERT_KEY)
  • 匯出金鑰密碼 (MyExportKeyPassword)Export key password (MyExportKeyPassword)
USE CM_ABC
BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT'
    WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
        ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')

重要

將所匯出憑證檔案和相關聯密碼儲存在安全的位置。Store the exported certificate file and associated password in a secure location.

還原憑證Restore certificate

這個範例指令碼會從檔案還原憑證。This sample script restores a certificate from a file. 使用此程序將您建立的憑證部署到另一個站台資料庫。Use this process to deploy a certificate that you created on another site database.

在生產環境中使用此指令碼之前,請變更下列值:Before you use this script in a production environment, change the following values:

  • 站台資料庫名稱 (CM_ABC)Site database name (CM_ABC)
  • 主要金鑰密碼 (MyMasterKeyPassword)Master key password (MyMasterKeyPassword)
  • 檔案路徑和名稱 (C:\BitLockerManagement_CERT_KEY)File path and name (C:\BitLockerManagement_CERT_KEY)
  • 匯出金鑰密碼 (MyExportKeyPassword)Export key password (MyExportKeyPassword)
USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN

CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
FROM FILE  = 'C:\BitLockerManagement_CERT'
    WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
        DECRYPTION BY PASSWORD = 'MyExportKeyPassword')

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

驗證憑證Verify certificate

使用此 SQL 指令碼驗證 SQL 已成功建立具有必要權限的憑證。Use this SQL script to verify that SQL successfully created the certificate with the required permissions.

USE CM_ABC
declare @count int
select @count = count(distinct u.name) from sys.database_principals u
join sys.database_permissions p on p.grantee_principal_id = u.principal_id or p.grantor_principal_id = u.principal_id
join sys.certificates c on c.certificate_id = p.major_id
where u.name in('RecoveryAndHardwareCore', 'RecoveryAndHardwareRead', 'RecoveryAndHardwareWrite') and
c.name = 'BitLockerManagement_CERT' and p.permission_name like 'CONTROL'
if(@count >= 3) select 1
else select 0

如果憑證有效,指令碼會傳回 1 值。If the certificate is valid, the script returns a value of 1.

請參閱See also

如需這些 SQL 命令的詳細資訊,請參閱下列文章:For more information on these SQL commands, see the following articles: