BitLocker Hard Drive Encryption
Connector name |
|
Connector type | Executable |
Type (UI field value) | Bitlocker Hard drive Encryption |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
Installation / setup | Bravura Security Fabric can also list users and retrieve Bitlocker discovery keys managed by Microsoft BitLocker Administration and Monitoring by using the |
The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):
Challenge-response - generate an unlock code to recover control of a machine after reboot
List:
accounts
For a full list and explanation of each connector operation, see connector operations.
Note that for BitLocker:
Encryption keys, passwords and unlock codes are associated with machines, not users. The association between users and machines must be acquired out of band – for example using a network login script.
The above data is stored in Active Directory – there is no key recovery server.
Response codes remain valid until they are administratively changed.
Notes on challenge-response operation
For the challenge response operation, the challenge input field is used to identify which computer the user is trying to retrieve a recovery key for. Users enter the on screen code from their Bitlocker-encrypted machine into Bravura Security Fabric 's Unlock encrypted systems/accounts module, which returns the code they enter to unlock the machine.
The process for agtbitlocker is:
End user accesses Bravura Pass and choose Unlock encrypted systems/accounts then chooses Bitlocker.
The "Recovery Key ID" must be obtained from the affected device from the Bitlocker Recovery screen.
That "Recovery Key ID" is provided as input to the Unlock encrypted systems/accounts module in Bravura Pass as the challenge code.
The
agtbitlockerconnector gets the "Recovery Key" from the Bitlocker target system then returns it to the user.
See Self Service Anywhere: Encrypted systems accounts for more information.
Preparation
Before you can target BitLocker, you must:
Turn on and initialize the TPM (Trusted Platform Module) and enable BitLocker
Enable BitLocker and TPM to backup to Active Directory.
Add a recovery password.
This should be backed up to Active Directory, and will the numeric string that is entered to get into a machine when a user is locked out.
Add a PIN to allow the administrative user to start the machine and access the hard drive.
Setting up a target system administrator
Bravura Security Fabric uses a designated domain account with read permissions on BitLocker computers, computer attributes and subobjects to perform Bravura Security Fabric operations. Create an account with appropriate permissions if one does not already exist.
Targeting the BitLocker system
For each BitLocker system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):
Type is Bitlocker Hard drive Encryption .
Address uses the following:
Domain or domain controller The DNS domain name, or the domain controller’s FQDN or host name.
(key: domain)
Connection over SSL (optional) Select to enforce SSL connections.
(key: ssl)
The Administrator ID and Password are the credentials for the target system administrator you configured in Setting up a target system administrator.
Ensure you enter the login ID using the domain format: <domain>\<loginID>. For example:
corpdomain\administrator
The full list of target parameters is explained in Target System Options.