Share via

bitlocker keys in AD

Joseph Patrick 641 Reputation points
2021-01-11T22:18:15.433+00:00

we have a 2016 AD forest with 2016 and 2019 OS domain controllers. We want to store the bit locker keys in AD but we have found the following information during our research:

Bitlocker keys stored in AD are not 'secure' because they are not encrypted.

Has this been updated/ fixed to be secure?

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Client for IT Pros Devices and deployment Configure application groups
Windows for business Windows Server Devices and deployment Configure application groups
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2021-01-12T00:02:30.297+00:00

    Hi,

    Bitlocker keys stored in AD are not 'secure' because they are not encrypted.

    Only domain administrators can read the value of bitlocker password recovery in active directory. By default it's secure place but you should improve the security in your active directory environment by reducing the number of domain administrators and apply all security recommendation for AD hardening .

    bitlocker-and-adds-faq
    bitlocker-use-bitlocker-recovery-password-viewer

    ----------

    Please don't forget to mark helpful reply as answer

    ----------

    0 comments
  2. Teemo Tang 11,466 Reputation points
    2021-01-12T02:30:22.53+00:00

    Bitlocker keys stored in AD are not 'secure' because they are not encrypted.
    This sentence is not come from Microsoft official document, just some user’s personal opinion.
    The BitLocker keys stored in AD can only be viewed by your domain administrators, if they are untrusted, who can be trusted? Maybe you worry about virus or hackers attack AD then get domain administrator’s credential to access BitLocker Key, if so, it is still not a store issue but a AD security issue, we need to improve security protection level of AD.
    Store BitLocker and TPM Recovery Information to AD is a common method for IT admin to manage, if this way exists obvious potential safety hazard, it cannot be widely used.
    Backing Up BitLocker and TPM Recovery Information to AD DS
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)?redirectedfrom=MSDN

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. MTG 1,246 Reputation points
    2021-01-12T10:51:11.093+00:00

    I completely agree to what's been said by Thameur and Teemo.
    The only "issue" I see with keys in AD: if you wanted to delegate access to these keys, it's a little clumsy. So say, you wanted some helpdesk personnel to have access to only the keys of his department, how do you do it without making him domain admin? ->You use the delegation of control wizard. However, this wizard is not using the principle of least privilege. If you give read-only access, it does not work, since these keys have the confidentiality bit set. So it requires full access! And that is bad since full access means, the helpdesk admin may decide to change permissions (as in: entitle others to read the keys) or even delete these keys!

    I wrote an article about the best way to delegate permissions for bitlocker keys, in case anyone is interested: https://www.experts-exchange.com/articles/33769/Delegation-of-access-to-Bitlocker-Recovery-Passwords-this-way-please.html?preview=xWfkWDYCtJg%3D

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.