Thursday, November 26, 2009

Recovering Windows Encrypted Data for EFS and Bitlocker

In this post I'm going to go over two encryption methods built naively into windows, EFS (Encrypted File System) and BitLocker and how to recover the data should the encryption keys become lost or corrupt.


Bit Locker requires Trusted Platform Module (TPM) v1.2 or higher. TPM is a security chipset built into the computers hardware. It either has it or it doesn't. If you don't have TPM you cannot use bitlocker.

The TPM contains information such as:
- the recovery password
- TPM owner password
- information required to identify which computers and volumes the recovery information applies to.

On a Microsoft network if you deploy bitlocker to all your vista / windows 7 workstations or 2008 member servers, you can deploy a group policy to store this TPM backup data in Active Directory. This ensures that data can always be recovered by authorized users even if the physical computer containing the bitlocked hard drive fails. You cannot save recovery information in Active Directory if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1.

There are 5 files needed to achieve TPM password backups:
- Add-TPMSelfWriteACE.vbs
- BitLockerTPMSchemaExtension.ldf
- List-ACEs.vbs
- Get-TPMOwnerInfo.vbs
- Get-BitLockerRecoveryInfo.vbs

Download these files from here:

If you are at 2003 functional level you have to perform a schema extention to create the fields in Active Director required to store the TPM recovery information. If you are 2008 functional level this is not required.

If you are serious about backing up TPM Recovery Information to Active Directory, please carefully read the following technet article:

I do not recommend implementing BitLocker into an active directory organisation without backing up the TPM recovery information from all bitlocked machines on the network.

Encrypted File System

The encrypted file system uses Data Recovery Agents (DRA) to backup encryption keys. You can have one more more DRA's for different departments under different organisational units, everyone in one DRA.

When you setup EFS you create a version 2 EFS user certificate from the EFS cert template and roll the certificates out to all users using auto-enrollment (Requires 2003 functional level).

If you are looking to implement EFS in your organisation make sure you read and completely understand Data Recovery Agents by reading the following article:

No comments:

Post a Comment