Backing up your BitLocker keys to Active Directory

Ok.. So I've learned the hard way that BitLocker doesn't automatically backup the security keys to Active Directory if you join the domain AFTER you've encrypted your machine. Or if you start encryption before the group policy has been pushed to your machine.

And backup of keys to Skydrive doesn't always succeed, even if the wizard tells you it has successfully copied the key data.

So to prevent you from having to format all drives of your laptop, like me, make sure your keys are properly backed up where they're supposed to be. Luckily I had a very recent backup of this machine. And luckily it wasn't my primary workstation at the moment

  • Back up the recovery key to a file
  • Back up the recovery key to SkyDrive
  • Back up the recovery key to Active Directory

To a file

The first one is simple. Open the BitLocker control panel, click "Back up Recovery Key" and save the file to a USB Flash Drive or file (network drive).

Skydrive

The second may or may not be available depending on your Group policy. If you want to store them on SkyDrive (or any other cloud storage for that matter), just save the key to USB or file and then transfer them to your preferred cloud storage provider. Since the backup of my BitLocker key for my slate failed a couple of times, while the UI trumpeted success, I've started manually uploading the recovery keys just in case.

Active Directory

The third will be done automatically if you join the domain before you start encryption (if your Group Policy  requires this), but there is no UI to back up the recovery key if you've (like me) started encryption before joining the domain. And as you will find out the hard way, Windows won't automatically back the recovery key up at a convenient moment later on by itself. It turns out you can coax it to do so manually.

The commandline tool 'manage-bde' comes to your rescue :). To backup your keys do the following:

  1. Get the key identifiers you want to back up to Active Directory:
C:\Windows\system32>manage-bde -protectors -get c:
BitLocker Drive Encryption: Configuration Tool version 6.2.9200
Copyright (C) 2012 Microsoft Corporation. All rights reserved.
Volume C: [Windows 8]
All Key Protectors
     Numerical Password:
       ID: 
 {78BBB717-4A5C-49EC-B9EE-A7FEE89D7892}
       Password:
         *******************************************
     TPM And PIN:
       ID: {333E5A53-D7A6-4D30-BE85-AF934975D090}
     Data Recovery Agent (Certificate Based):
       ID: {66F5FC90-870E-448C-A65E-B9BAE35656FC}
       Certificate Thumbprint:
         *******************************************
     Data Recovery Agent (Certificate Based):
       ID: {FC53582B-407F-420E-8B4B-F928FEE958A8}
       Certificate Thumbprint:
         *******************************************
  1. Then back up the keys to Active Directory one by one:
C:\Windows\system32>manage-bde -protectors -adbackup c: -id {78BBB717-4A5C-49EC-B9EE-A7FEE89D7892}
BitLocker Drive Encryption: Configuration Tool version 6.2.9200
Copyright (C) 2012 Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.

There's probably an easy way to do this for all keys at once using powershell, but since you'll normally only have to do this once for your machine, I didn't take the time to figure all that out :).

Leave a comment.