Can you export the recovery keys from the old Sophos SafeGuard, we want to decommission the old server but just in case we need them on old coputers
This thread was automatically locked due to age.
Can you export the recovery keys from the old Sophos SafeGuard, we want to decommission the old server but just in case we need them on old coputers
Thank you, where do I run it?
On the server itself Dan. It'll need the variables changing - Mine dumps to c:\SGNData\BLRecoveryKeys. I've not used it for a few years but it worked well when I did!
Option Explicit Dim scripting Dim scriptingCR Dim ScriptingDirectory Dim ScriptingInventory Dim result Dim ret Dim errorText Dim Computername Dim adsMachine Dim otype Dim objArgs Dim FSO dim email dim yn Dim objMessage Dim objWshShell Dim StrCommand Dim StrUser Dim strEvent Dim hitCount Dim idx Dim hitCountDrives Dim idxDrive Dim softwareId Dim propertyValue Dim propertyString Dim DriveId Dim response Dim RecoveryPassword Dim POAType Dim MachineName Dim DriveName Dim EncryptionState Dim objKeyFile Dim strPath Dim KeyFileName Dim objLogFile Dim Counter Const ForWriting = 2 Set FSO = CreateObject("Scripting.FileSystemObject") Set objWshShell = CreateObject("WScript.Shell") Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\" Dim bekDestinationFileName Dim bekDestinationDirectory If strPath = "" Then strPath = Wscript.ScriptFullName strPath = Mid(strPath,1,InstrRev(strPath,".")-1) End If Set objLogFile = FSO.OpenTextFile(strPath & ".log", 8,True) Sub WriteError (Text) objLogFile.WriteLine now() & " : " & Text & " - Exiting!" objLogFile.Close Wscript.Quit End Sub Sub WriteInfo (Text) objLogFile.WriteLine now() & " : " & Text End Sub Set Scripting = wscript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base") Set ScriptingCR = Scripting.CreateCRClassInstance() Set ScriptingDirectory = Scripting.CreateDirectoryClassInstance() Set ScriptingInventory = Scripting.CreateInventoryClassInstance() result = scripting.Initialize() WriteInfo "Scripting.Initialize result: " & result result = scripting.AuthenticateService() WriteInfo "Scripting.AuthenticateService() result: " & result result = scriptingCR.Initialize() WriteInfo "ScriptingCR.Initialize result: " & result result = scriptingDirectory.Initialize() WriteInfo "ScriptingDirectory.Initialize result: " & result result = ScriptingInventory.Initialize() WriteInfo "ScriptingInventory.Initialize result: " & result result = ScriptingDirectory.GetObjectInitialize("*","",1,hitcount) WriteInfo "ScriptingDirectory.GetObjectInitialize result: " & result WriteInfo "ScriptingDirectory.GetObjectInitialize hitCount: " & hitCount If result=0 and hitCount>0 Then For counter=0 to hitCount-1 result = ScriptingDirectory.GetObjectByIndex(counter, adsMachine,otype) WriteInfo "ScriptingDirectory.GetObjectByIndex result: " & result If result = 0 Then WriteInfo "****************************************************************" result = ScriptingInventory.GetComputerInventory(adsMachine, "MachineName", propertyValue, propertyString) MachineName = propertyString WriteInfo "MachineName: " & MachineName result = ScriptingInventory.GetComputerInventory(adsMachine, "POAType", propertyValue, propertyString) POAType = propertyValue WriteInfo "POAType: " & POAType If POAType = "2" Then result = ScriptingInventory.GetDriveInventoryIdInitialize(adsMachine,hitCountDrives) WriteInfo "ScriptingInventory.GetDriveInventoryIdInitialize result: " & result idxDrive=0 Do While idxDrive < hitCountDrives result = ScriptingInventory.GetDriveInventoryIdByIndex(idxDrive,driveId) result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "DriveName", propertyValue, propertyString) DriveName = propertyString WriteInfo "DriveName: " & DriveName result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "State", propertyValue, propertyString) EncryptionState = propertyValue WriteInfo "EncryptionState: " & EncryptionState If EncryptionState = "2" Then bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\" If NOT (FSO.FolderExists(bekDestinationDirectory)) Then FSO.CreateFolder(bekDestinationDirectory) End If result=ScriptingCR.BitLockerRecovery(adsMachine, DriveName, response) WriteInfo "ScriptingCR.BitLockerRecovery result: " & result if Len(response) = 48 Then KeyFileName = bekDestinationDirectory & "Drive_" & DriveName & ".txt" WriteInfo "Writing recovery password to file: " & KeyFileName RecoveryPassword = Mid(response,1,6) & " " & Mid(response,6,6) & " " & Mid(response,12,6) & " " & Mid(response,18,6) & " " & Mid(response,24,6) & " " & Mid(response,30,6) & " " & Mid(response,36,6) & " " & Mid(response,42,6) WriteInfo "Recovery Password :" & RecoveryPassword Set objKeyFile = FSO.OpenTextFile(KeyFileName, ForWriting, True, 0 ) objKeyFile.WriteLine(RecoveryPassword) objKeyFile.Close Set objKeyFile = Nothing Else WriteInfo "ERROR: Invalid Recovery Password" & response End If End if idxDrive=idxDrive+1 Loop result = ScriptingInventory.GetDriveInventoryIdFinalize() ElseIf POAType = "5" Then bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\" If NOT (FSO.FolderExists(bekDestinationDirectory)) Then FSO.CreateFolder(bekDestinationDirectory) End If result = ScriptingCR.ExportBitLockerRecoveryKey(adsMachine, bekDestinationDirectory, bekDestinationFileName) If result = 0 Then WriteInfo "Key file succesfully written to file :" & bekDestinationFileName Else WriteInfo "ERROR: Failed to export key file with error code: " & result End If End If End If Next End If result = ScriptingDirectory.GetObjectFinalize() 'Final result = ScriptingInventory.FreeResources() result = ScriptingDirectory.FreeResources() result = ScriptingCR.FreeResources() result = Scripting.FreeResources() objLogFile.Close Wscript.Quit
It's a VBS script Dan - So copy and paste it into Notepad (or similar) and rename to "something.vbs"
How do I change the variables?
Copy and paste the whole script into Notepad. Search the text for "DestinationDirectoryRoot" or where it says "c:\SGNData\BLRecoveryKeys" in the script change this to suit your own variables - or create the same two folders I did in the same location on C Drive! Save the changes and then run the script on the server.
Running it as Admin and on the SafeGuard server? I've not used it in a few years but will have a look again and see it still works as expected
Thanks, as doesn't give me the option to run as admin
Open a command prompt as Admin Dan. I would imagine you're running 64 bit too, so don't forget to run the 64 bit version of cscript.
So - Admin command prompt "c:\windows\syswow64\cscript c:\sgndata\BLRecoveryKeys\keys.vbs" in your case/screenshot I think.
Just ran it again on the server Dan and all still works well! Good luck...
Works fine thanks, so just creates the folders of each computer name with the rk in
Yup! You could modify it to merge into one but it's probably best this way. Obviously now they're exported they're static keys so if the key rotates it'll be out of date (like a TPM/motherboard replacement etc...) You could always set this to run on a schedule to keep it more "current" but it works well for what it is. Don't forget to secure this somewhere - it's now open to people bypassing your control methods if they just need to open a plain text file and not log a helpdesk ticket etc.... :)