Device encryption key rotation

Hi jimmyvdbergh

You can store BitLocker recovery keys in Active Directory. 

Hi Shweta, thanks for this update but does not give answer to these question

1. Does Sophos keep track of the lifetime of the key? (cryptoperiod)
2. Does Sophos auto renew the key (after cryptoperiod expires)?

as one needs to know when cryptoperiod should expire. as sophos manages the keys. sophos could know the proposed lifetime. 

1, 2 years etc. is this in any way defined / applicable here. or is lifetime, something a company needs to specify? 

not talking about someone leaving company and has access to these keys. but in the auto-generation part. 

best,

jimmy

Okay, we need to clarify a few things here.

Are you using Safeguard or Central Device Encryption?

Is your drive encrypted with Bitlocker?

Hi Richard,

we are using sophos central encryption 

currently we have bitlocker and filevault (macOS) enabled

best 

jimmy 

There are two keys in play here. The bulk encryption key that Bitlocker uses on the drive which is stored in the TPM and the Recovery key.

Central Device Encryption stores the Recovery Key and polls the new one when it is generated: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DEGroupPolicySettings.html

The bulk encryption key can be rotated (which is what I am assuming you are talking about based on your post) but CDE doesn't do that and doesn't monitor that action because it doesn't matter to it. The bulk key gets rotated, is stored onto the TPM, and a new Recovery Key is generated to get access to it, which is transmitted into Central. You now have access to the new bulk key through the stored recovery key.

Here is an article on how to rotate the bulk key: docs.microsoft.com/.../encrypt-devices