If you not able to access your BitLocker or BitLocker to Go drive you are going to need some way to recover the data. This video looks at recovery options that are available for BitLocker and BitLocker to Go. These include the recovery key and also how to configure a Data Recovery Agent (DRA) for both BitLocker and BitLocker to Go.
9 J7 M3 ~ E) t- h r/ T
+ |8 n* ]7 k8 I& u2 ?There are two ways that you can recovery BitLocker if you lost/forget the password or the keys inside a TPM are lost, for example you change hardware or change the boot sector or bios. One way is with the recovery key that is created every time that you encrypt a drive either with BitLocker or with BitLocker to Go. The second method is to configure a Data Recovery Agent (DRA). A DRA is a user that has access to the data on the BitLocker drive. The advantage of a DRA is that you don't have to manage all the recovery keys. Each time you use BitLocker or BitLocker to Go a new recovery key will be created.
; ?: D: r# w) D
& A, h( ~0 p0 h% w. v( oRecovery Keys
2 n6 k, t2 e; d2 E) b) oWhen you run the wizard for BitLocker or BitLocker to Go the recovery key can be saved or printed out. Regardless of which you choose you should keep it in a safe place. It is not wise to copy the recovery key to the drive that you encrypted as you won't be able to access the recovery key in an emergency. In a large organization you may want to store the recovery keys on a share or in Active Directory. This can be configured using group policy.
! w7 p* x9 Z; K) Z) W; b. O" W. J" e# ?5 z/ H3 w7 S5 j5 Q
Data Recovery Agent (DRA)/ `$ @* y7 j& A: p& _- ]
Before you start encryption drives using BitLocker or BitLocker to Go you should configure a DRA. A DRA will only be able to access drives that were encrypted after the DRA was setup. A new DRA cannot decrypt drives that were encrypt before it was configured.5 ~2 j$ L% W. z1 X5 }8 U3 U
0 Y+ m8 w1 S* H( n# j( F; l* rGroup Policy
`. U0 m, l! y1 cListed below are the BitLocker group policy settings and the DRA group policy settings. In order to use the recovery agent you will need to configure the organization in the BitLocker group policy as well as the settings in the DRA group policy.- s. n, ^1 c1 n1 S* N$ _% n
7 p8 f( z2 ^( w: T6 _BitLocker Group Policy9 c& T. Q* D1 z( f( w5 {
These settings configure the BitLocker settings. Only the first setting is required for a DRA. The DRA group policy settings are listed next. General BitLocker settings are found under:
6 l' a4 z, z, [; G/ h& }8 v
" q- O. i, F! j* N! ~! N8 W: gComputer configuration-Administrative templates-Windows components-BitLocker Drive Encryption8 |, w3 }- ~8 Y6 A
% H8 x0 j- a" C8 Q
Provide the unique identifiers for your organization-This setting is required for the DRA group policy settings below. It sets an organization name for BitLocker to identify which BitLocker or BitLocker to Go drives will be used with that DRA.
! G; Z" d4 K! M7 ~1 y- m2 j. }: G8 T
Store BitLocker recovery information in Active Directory Domain Services-This setting when configured will attempt to store the Active Directory recovery key in Active Directory. If this fails you can configure Windows to prevent the drive being encrypted or allow it anyway.+ R" Y. e2 U% E3 L T
1 W' t/ e7 l+ l
Choose default folder for recovery password-This allows you to configure a share to store the recovery keys to. E8 p; `1 q2 H D% s
, p, x# r$ u7 }( A3 E
Choose how users can recover BitLocker-protected drives-This settings controls how and if the user can save the recovery key using the wizard. If you plan on saving the keys in Active Directory or a share you may want to deny the user the ability to save the key to ensure that there are not multiple copies of the recovery key.
' z& K0 F* i% p1 ^4 l7 A2 X5 _6 d9 @& a) n/ }8 F m6 [
Choose drive encryption method and cipher strength-Determines the level of encryption that will be used. 128 or 256bit.& d+ _. f9 j# p; |
, j# Y* d, \/ T9 d! V' t
Choose how users can recover BitLocker-protected drives-This setting determines which recovery options the user will have. For example which recovery keys are available.# U) r ]. [: l
3 ~2 j3 ^6 y! j
DRA Settings Group Policy7 s0 O9 g# W: L( C( A
To configure a new DRA right click the follow group policy setting listed below and select add Data Recovery Agent. The wizard will then ask you for the certificate that you want to use for that user.
2 t( S4 {$ n9 G# P
0 ?8 d/ P* [+ ^: lComputer configuration-Polices-Windows Settings-Security Settings-Public key polices-BitLocker Drive encryption+ { H- s- h$ N8 P5 Z2 [
|
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2016-8-10 18:00:22