Using a Data Recovery Agent to Recover BitLocker-Protected Drives in Windows 7

Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.

Pre-requisites

To complete the procedures in this scenario:

  • You must be able to provide administrative credentials.
  • Your computer must meet BitLocker requirements.

 

Complete the following procedures in order.

To enable BitLocker to use self-signed certificates

  1. Click Start, type regedit in the Search programs and files box, right-click regedit.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. In Registry Editor, navigate to \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.

  3. On the Registry Editor menu, click Edit, point to New, and then click DWORD (32-bit) Value.

  4. Type SelfSignedCertificates, and then press ENTER to create the SelfSignedCertificates key value.

  5. Right-click SelfSignedCertificates, and then click Modify.

  6. In Value data, type 1.

BitLocker can now use self-signed certificates.

To obtain a self-signed certificate to test BitLocker and data recovery agents

  1. Open a text editor such as Notepad, and paste the following information into a new file:

    [NewRequest]

    Subject = "CN=BitLockerDRA"

    KeyLength = 2048

    ProviderName = "Microsoft Smart Card Key Storage Provider"

    KeySpec = "AT_KEYEXCHANGE”

    KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"

    KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"

    RequestType = Cert

    SMIME = FALSE

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.4.1.311.67.1.2

  2. Save the file with the name bldracert.txt.

  3. Insert a smart card into the smart card reader of the computer.

  4. Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  5. In the Command Prompt window, navigate to the location where you saved the blcert.txt file, and type certreq –new bldracert.txt to request a new certificate based on the parameters identified in the file. There may be a slight delay while the request is carried out, and you may be prompted to insert your smart card and type your PIN.

  6. When prompted to save the request file, type a file name, and click Save.

You now have a data recovery agent smart card certificate that is appropriate for use with BitLocker.

To export a BitLocker DRA certificate

  1. Click Start, and then type certmgr.msc to open the Certificates snap-in.

  2. In the console tree, expand Personal, and then click Certificates.

  3. Double-click the BitLockerDRA certificate to display the certificate properties sheet.

  4. Click the Details tab, and then click Copy to File to start the Certificate Export Wizard.

  5. On the Welcome to the Certificate Export Wizard page, click Next.

  6. On the Export Private Key page, verify that No, do not export the private key is selected, and then click Next.

  7. On the Export File Format page, verify that DER encoded binary x.509 (.CER) is selected, and then click Next.

  8. On the File to Export page, click Browse to display the Save as dialog box. In File name, type BitLockerDRA. In Save as type, verify that DER Encoded Binary X.509 (.cer) is selected, and then click Save to return to the File to Export page. The File name box on the wizard page should now display the path to the BitLockerDRA.cer file in your document library. Click Next.

  9. On the Completing the Certificate Export Wizard page, verify that the information displayed is correct, and then click Finish.

  10. When the certificate has been exported, the Certificate Export Wizard dialog box will be displayed with the message The export was successful. Click Close to close the dialog and the wizard.

To add a BitLocker data recovery agent and unlock a drive

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption, and then click Add Data Recovery Agent to start the Add Recovery Agent Wizard.

  4. On the Select Recovery Agents page, click Browse Folder to select the BitLockerDRA.cer file you exported in the previous procedure. If you did not need to export a certificate because you already had deployed a PKI with the necessary certificates, click Browse directory to choose a certificate from Active Directory Domain Services.

  5. If you are prompted to install the certificate, click Yes. You can repeat this process as necessary to add multiple data recovery agents. After all data recovery agent certificates you want to use have been specified, click Next.

  6. On the Completing the Recovery Agent Wizard page, click Finish to add the data recovery agent.

  7. If you have not configured the Group Policy setting to specify the BitLocker identification field, complete Configuring the BitLocker Identification Field (Windows 7) before continuing with this scenario.

  8. Encrypt a data drive as described in Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7). For a data recovery agent to be able to unlock a drive, the BitLocker identification field must be present and match the identification field defined for your organization.

  9. To put the drive into a locked state so that you can test the data recovery agent, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. Type the following command, replacing Volume with the drive letter of the BitLocker-protected drive you want to lock:

    Manage-bde –lock Volume :

    Do not close the Command Prompt window.

  10. Now that the drive is locked, you can unlock it by using the data recovery agent. First, you need the certificate thumbprint of the data recovery agent. To find this, at the command prompt, type the following command, replacing Volume with the drive letter of the BitLocker-protected drive you want to unlock:

    Manage-bde –protectors –get Volume :

    The key protectors identified for the drive are displayed. Find the key protector identified as Data Recovery Agent (Certificate Based), and record the certificate thumbprint.

  11. To unlock the drive, type the following command, replacing CertificateThumbprint with the actual certificate thumbprint of the data recovery agent recorded in the previous step:

    Manage-bde –unlock Volume : -cert –ct CertificateThumbprint -PIN

  12. Enter your smart card PIN when prompted. The drive is unlocked.

By completing the procedures in this scenario, you have assigned data recovery agents to BitLocker and used a data recovery agent to unlock a BitLocker-protected drive.

 

Excerpt from : BitLocker Drive Encryption Step-by-Step Guide for Windows 7

 

 

6 thoughts on “Using a Data Recovery Agent to Recover BitLocker-Protected Drives in Windows 7”

  1. I locked my c: drive with bit locker and saved the password in the usb drive as well as in the same drive.But,due to virus,the usb drive is corrupted.Now ,at every boot the windows asked for recovery key.My laptop is lenovo r400 and no smart card .
    .I want to access the drive without losing data.I am unable to access the drive until it get recovery key,please suggest me solution ,urgently..

  2. There are many occasions like conferences, seminars and meetings the place that the mugs could
    be distributed to clients, customers and employees in the pany.
    Visual merchandise can be made immediately next to the
    checkout because congestion creates a charming
    impact around the consumers. Corporate promotional gifts
    provide one in the best and quite a few successful types of advertising your company name and product, guaranteeing
    some fantastic recent results for you.

  3. Excellent goods from you, man. I’ve understand your stuff previous to and you are just extremely fantastic. I actually like what you’ve acquired here, really like what you’re saying and the way in which you say it. You make it enjoyable and you still care for to keep it sensible. I cant wait to read much more from you. This is really a terrific web site.

  4. I think that what you typed made a great deal of sense. However,
    what about this? suppose you added a little content?
    I am not saying your content isn’t good., however suppose you added a headline that grabbed folk’s attention?
    I mean Using a Data Recovery Agent to Recover BitLocker-Protected Drives in
    Windows 7 | Simplifying Windows is kinda boring. You ought to
    glance at Yahoo’s home page and see how they create article titles to get people to open the links. You might try adding a video or a picture or two to grab readers interested about what you’ve got to say.
    In my opinion, it would bring your posts a little bit more interesting.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s