This blog post is a follow-up to my first post on BitLocker, MBAM and Data Recovery Agents (DRA).
In this post we’ll cover actually USING the BitLocker DRA to recover/unlock a BitLocker Encrypted drive using the BitLocker DRA Certificate.
Installing a BitLocker DRA Private Certificate
Before you can actually unlock a drive using the DRA certificate, you must install the Private (.pfx) certificate file on your system. My recommendation is to install it under a local account (not a domain account) however to avoid a potential issue with Credential Roaming.
- Log into the system using a local (Administrative) account – again, this is to avoid the Private certificate from roaming with individual users and installing on multiple systems.
- Locate the BitLocker DRA (.PFX) private certificate file (obtained from your Certificate Authority) and double-click on it.
Follow the wizard and provide the password for the private key (should be provided by your Certificate Authority also).
- Click Next thru the rest of the wizard pages.
- Delete the .PFX certificate file from the machine.
One other recommendation on this, I’d suggest that you keep track of who has this certificate and where it’s installed. When you have to renew the certificate this will make things much easier to go back thru and update the locally installed private certs.
Unlocking a BitLocker Encrypted Drive with a BitLocker Data Recovery Agent
Now that we have the Private (PFX) certificate installed, we can proceed with unlocking BitLocker encrypted drives. Unlocking a BitLocker Encrypted drive starts at the Command Prompt (Elevated) where we can then leverage the manage-bde.exe utility to work with BitLocker Drive Encryption.
- At the (elevated) Command Prompt, type manage-bde –protectors –get <drive letter> where <drive letter> is the drive you wish to unlock. You should see an output similar to below (Image credit: TechNet).
- Take special note of the Certificate Thumbprint highlighted above. That long string is your certificate ID which you will use to actually unlock the drive.
NOTE: It IS possible to have more than one Certificate listed here if your company uses more than one DRA cert for BitLocker. You may have to try each one until you get one to work
- To unlock the drive, type manage-bde –unlock <Drive Letter>: -Certificate –ct <Certificate Thumbprint>
That’s pretty much all there is to it. Recovering a BitLocker encrypted drive with a BitLocker DRA Certificate is pretty simple once it’s all setup. Of course I still would recommend using MBAM or Active Directory recovery methods as your primary recovery method (they are a lot easier) however this will hopefully give you that ‘warm & fuzzy’ feeling knowing that you can always unlock a BitLocker encrypted drive.