BitLocker Keys on Instrument Computers

 

Overview

When a laboratory instrument control machine has intermittent or no network access, ASCTech might not have the current version of the Windows BitLocker recovery key for that computer's encrypted hard drive(s). In this situation the instrument control machine is at risk for loss of data on all encrypted drives. If keys are lost and the machine experiences a failure it may be impossible to recover the machine.

  • Please contact ASCTech for assistance with key escrow.
    • This procedure is available for lab groups who need to escrow their own keys.
  • For older machines, ASCTech might not have an escrow/copy of all Windows BitLocker encryption keys.
    • This is especially true if a laboratory instrument computer system is old and/or not network-connected for a long time.
  • Decrypting an old computer risks drive failure; therefore, decryption should only be performed after consultation with ASCTech staff.
  • As part of an Air Gap we will follow procedures to ensure continued access to the machine.

This article is targeted to Windows as it's rare a Macintosh is air gapped. Please contact ASCTech for instructions on non-networked Macintoshes.

Procedure

How to manually reveal and record the BitLocker encryption password.

  • Begin the process by determining if the computer is encrypted:
    • The Control Panel app Manage BitLocker will show encryption status.
    • Not all Windows systems are encrypted, so this is a good first step.
  • Assuming at least the C: drive is encrypted, continue with the following steps:
    • Right-click on the Command Prompt app and Run as Administrator.
      • This step varies a bit between Windows 7, 10, and 11, so if you are unsure, get an ASCTech staff person to help.
    • From the Command Prompt, type the following to see encryption information for the C: drive:
      • manage-bde -protectors c: -get  
    • The important information to record is under the section named Numerical Password.
      • The first 8 digits of the Numerical Password ID will uniquely identify the password.
      • However, the 48 digit Password itself is the most important information.
        • Record this Password.
  • Alternately, the Control Panel app Manage BitLocker has a option to Backup your recovery key.
    • This requires saving the key to a separate storage device.
      • I.e., you cannot save the backup to the same drive that is encrypted.
      • This impediment is the primary motivation for using the manage-bde command line method to reveal the password.
  • Storing the key:
    • If ASCTech is doing an Air Gap we will store the key and offer the research group a copy of the key.
    • The research group should store the key somewhere known.
      • The group's share, Teams, or a printout with the PI are all options.
Print Article