Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 8 subscribers
  • Views 12160 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to export recovery keys of all the computer drives in sophos bitlocker encryption console

Girish Gowda

How to export recovery keys of all the computer drives in sophos bitlocker encryption console



This thread was automatically locked due to age.
  • 0

    I am curious about this as well.  Is there a way to export BitLocker recovery keys from the console for multiple/all systems?  If not, where in the database is this information held?

  • 0 in reply to ConanTearney

    Hi Conan, Girish,

    Export of Bitlocker recovery keys is possible although not all at once. Bulk exports can be expressed as a feature request/idea via the following forum.

    https://ideas.sophos.com/forums/143208-data-protection

    Also in case you are facing challenges in exporting recovery key from Console for Bit Locker C/R encrypted machines, then kindly please follow this KBA.

    Regards,

    Adithyan Thangaraj
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0

    Export of all Bitlocker recovery keys can be done by a script using the API. Below you find the VBScript code that I used to export all keys.

    The script is designed to run directly on the management server. First you have to change the destination folder (see bekDestinationDirectoryRoot) where you want to store the keys.

    The script creates a folder for each computer and stores either the BEK file (Bitlocker Challenge/Response) or the plain text recovery password in a text file.

    Regards,

    Holger

    Fullscreen 0181.exportallbitlockerkeys.txt Download 
    Option Explicit

Dim scripting
Dim scriptingCR
Dim ScriptingDirectory
Dim ScriptingInventory
Dim result
Dim ret
Dim errorText
Dim Computername
Dim adsMachine
Dim otype
Dim objArgs
Dim FSO
dim email
dim yn
Dim objMessage
Dim objWshShell
Dim StrCommand
Dim StrUser
Dim strEvent
Dim hitCount
Dim idx
Dim hitCountDrives
Dim idxDrive
Dim softwareId
Dim propertyValue
Dim propertyString
Dim DriveId
Dim response
Dim RecoveryPassword
Dim POAType
Dim MachineName
Dim DriveName
Dim EncryptionState
Dim objKeyFile
Dim strPath
Dim KeyFileName
Dim objLogFile
Dim Counter

Const ForWriting = 2  

Set FSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")

Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\"
Dim bekDestinationFileName
Dim bekDestinationDirectory

If strPath = "" Then 
	strPath = Wscript.ScriptFullName
	strPath = Mid(strPath,1,InstrRev(strPath,".")-1)
End If

Set objLogFile = FSO.OpenTextFile(strPath & ".log", 8,True)

Sub WriteError (Text)
	objLogFile.WriteLine now() & " : " & Text & " - Exiting!"
	objLogFile.Close
	Wscript.Quit 
End Sub

Sub WriteInfo (Text)
	objLogFile.WriteLine now() & " : " & Text
End Sub




Set Scripting = wscript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base")
Set ScriptingCR = Scripting.CreateCRClassInstance()
Set ScriptingDirectory = Scripting.CreateDirectoryClassInstance()
Set ScriptingInventory = Scripting.CreateInventoryClassInstance()

result = scripting.Initialize()
WriteInfo "Scripting.Initialize result: " & result

result = scripting.AuthenticateService()
WriteInfo "Scripting.AuthenticateService() result: " & result

result = scriptingCR.Initialize()
WriteInfo "ScriptingCR.Initialize result: " & result

result = scriptingDirectory.Initialize()
WriteInfo "ScriptingDirectory.Initialize result: " & result

result = ScriptingInventory.Initialize()
WriteInfo "ScriptingInventory.Initialize result: " & result

result = ScriptingDirectory.GetObjectInitialize("*","",1,hitcount) 
WriteInfo "ScriptingDirectory.GetObjectInitialize result: " & result
WriteInfo "ScriptingDirectory.GetObjectInitialize hitCount: " & hitCount
If result=0 and hitCount>0 Then 
 For counter=0 to hitCount-1
   result = ScriptingDirectory.GetObjectByIndex(counter, adsMachine,otype)
   WriteInfo "ScriptingDirectory.GetObjectByIndex result: " & result
   If result = 0 Then
		WriteInfo "****************************************************************"
		result = ScriptingInventory.GetComputerInventory(adsMachine, "MachineName", propertyValue, propertyString)
		MachineName = propertyString
		WriteInfo "MachineName: " & MachineName
		result = ScriptingInventory.GetComputerInventory(adsMachine, "POAType", propertyValue, propertyString)
		POAType = propertyValue
		WriteInfo "POAType: " & POAType
		If POAType = "2" Then
			result = ScriptingInventory.GetDriveInventoryIdInitialize(adsMachine,hitCountDrives)
			WriteInfo "ScriptingInventory.GetDriveInventoryIdInitialize result: " & result
			idxDrive=0
			Do While idxDrive < hitCountDrives
				result = ScriptingInventory.GetDriveInventoryIdByIndex(idxDrive,driveId)
				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "DriveName", propertyValue, propertyString)
				DriveName = propertyString
				WriteInfo "DriveName: " & DriveName
				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "State", propertyValue, propertyString)
				EncryptionState = propertyValue
				WriteInfo "EncryptionState: " & EncryptionState
				If EncryptionState = "2" Then
					bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
					If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
						FSO.CreateFolder(bekDestinationDirectory)
					End If
					result=ScriptingCR.BitLockerRecovery(adsMachine, DriveName, response)
					WriteInfo "ScriptingCR.BitLockerRecovery result: " & result
					if Len(response) = 48 Then
						KeyFileName = bekDestinationDirectory & "Drive_" & DriveName & ".txt"
						WriteInfo "Writing recovery password to file: " & KeyFileName
						RecoveryPassword = Mid(response,1,6) & " " & Mid(response,6,6) & " " & Mid(response,12,6) & " " & Mid(response,18,6) & " " & Mid(response,24,6) & " " & Mid(response,30,6) & " " & Mid(response,36,6) & " " & Mid(response,42,6)
						WriteInfo "Recovery Password :" & RecoveryPassword
						Set objKeyFile = FSO.OpenTextFile(KeyFileName, ForWriting, True, 0  )
						objKeyFile.WriteLine(RecoveryPassword)
						objKeyFile.Close
						Set objKeyFile = Nothing 
					Else 
					  WriteInfo "ERROR: Invalid Recovery Password" & response
					End If
				End if
				idxDrive=idxDrive+1
			Loop
			result = ScriptingInventory.GetDriveInventoryIdFinalize()
		ElseIf POAType = "5" Then
			bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
			If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
				FSO.CreateFolder(bekDestinationDirectory)
			End If
			result = ScriptingCR.ExportBitLockerRecoveryKey(adsMachine, bekDestinationDirectory, bekDestinationFileName)
			If result = 0 Then
			 WriteInfo "Key file succesfully written to file :" & bekDestinationFileName
			Else
			 WriteInfo "ERROR: Failed to export key file with error code: " & result
			End If
		End If
   End If
 Next
End If

result = ScriptingDirectory.GetObjectFinalize()

'Final
result = ScriptingInventory.FreeResources()
result = ScriptingDirectory.FreeResources()
result = ScriptingCR.FreeResources()
result = Scripting.FreeResources()

objLogFile.Close
Wscript.Quit

  • 0 in reply to Holger

    Brilliant work this Holger - Thank you! Log file too - superb! :)

    Point to note for those running this - it'll need to be executed from SysWOW64 if you have a 64bit OS

     

    Again - Thank you Holger, this is excellent!

  • 0 in reply to MichaelMcLannahan

    Thank you for the script.  I cant get it to run however, I get an error calling out line 71 "could not create object named, Utimaco.SafeGuard.AdministrationConsole.Scripting.Base".  Prior to running this script must anything else be set on the server?

  • 0 in reply to ConanTearney

    This error typically occurs if you don't run the script as 32bit. 

    You have to run c:\windows\syswow64\cscript scriptname.vbs

    Regards,

    Holger

  • 0 in reply to Holger

    that did it, thank you for the quick reply!

Unfiltered HTML