BitLocker-Could we get decrypted recovery keys if database recoverd to another server

Question

BitLocker-Could we get decrypted recovery keys if database recoverd to another server

xianhua 李 86

I have a question on database backup and recovery and BitLockerManagement_Cert.

We are using ConfigMgr 2103, we found that BitLocker recovery keys were encrypted by default on ConfigMgr database, but no certificate found.
Execute
select * from sys.certificates
on ConfigMgr database retuns nothing.

But try
SELECT RecoveryAndHardwareCore.DecryptString(RecoveryAndHardwareCore_Keys.RecoveryKey, DEFAULT) AS RecoveryKey FROM RecoveryAndHardwareCore_Keys
We can get the decrypted recovery key .

If we recovery database to another server, I doubt if we could still get decrypted recovery keys...

2021/12/16, Add some details:
"Allow recovery information to be stored in plian text" was Checked by default and it's grayed out, cannot be uncheck.

when query SQL, there is no certificate found on ConfigMrg database.
query recovery keys returns encrypted recovery key, but we can decrypt the keys by using a decryptString method:

Accepted answer

1 additional answer

Your answer

Answer 1

AllenLiu-MSFT 49,316 Microsoft External Staff

Hi, @xianhua 李
Thank you for posting in Microsoft Q&A forum.

The documentation said:
If you don't want to create a BitLocker management encryption certificate, opt-in to plain-text storage of the recovery data. When you create a BitLocker management policy, enable the option to Allow recovery information to be stored in plain text.
I think you are using the option "Allow recovery information to be stored in plain text." So you don't have a cert named "BitLockerManagement_Cert". Your recovery keys are not encrypted by SQL Server encryption certificate.

You may check this article to see why the query you used can decrypted recovery key:
https://geekdudes.wordpress.com/2020/03/25/sccm-get-decrypt-bitlocker-recovery-keys-from-the-configmgr-database/
(Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

xianhua 李 86 Reputation points

2021-12-16T06:13:59.937+00:00

Yes the "Allow recovery information to be stored in plain text" was checked, but the keys are Encrypted in database, with an unknown cert. I have add the screenshot to the post.

If I add a BitLockerManagement_CERT， I don't know what will happen to the existing encrypted keys.
if not, I don't know if we are able to decrypt the keys if we recovery database to another server.
AllenLiu-MSFT 49,316 Reputation points Microsoft External Staff

2021-12-16T08:18:39.237+00:00

According to the article I linked, the query you used to decrypt the keys is using the procedures located under Programmability-Stored Procedures, so I think if you recovery database to another server, you can still get the decrypted recovery key by this query.
xianhua 李 86 Reputation points

2021-12-20T03:21:19.173+00:00

You are right.
I finally get a test server and test database recovery, BitLocker recovery keys could be decrypt without certificate.
thanks!

Answer 2

ESWARARAJU KONETI 2,206 MVP Volunteer Moderator

You can follow the steps outlined in this document https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data

Thanks,
Eswar
www.eskonr.com

xianhua 李 86 Reputation points

2021-12-14T07:16:01.05+00:00

We don't have a cert named "BitLockerManagement_Cert", but recovery keys are encrypted, that's the problem...

Share via

BitLocker-Could we get decrypted recovery keys if database recoverd to another server

1 additional answer

Your answer