This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recovery Keys

Can you export the recovery keys from the old Sophos SafeGuard, we want to decommission the old server but just in case we need them on old coputers



This thread was automatically locked due to age.
Parents
  • Yes you can. I’ve the script somewhere I’ll try and dig it out or find the post. Obviously it won’t work for the C/R keys if you still use those? 

  • Option Explicit
    
    Dim scripting
    Dim scriptingCR
    Dim ScriptingDirectory
    Dim ScriptingInventory
    Dim result
    Dim ret
    Dim errorText
    Dim Computername
    Dim adsMachine
    Dim otype
    Dim objArgs
    Dim FSO
    dim email
    dim yn
    Dim objMessage
    Dim objWshShell
    Dim StrCommand
    Dim StrUser
    Dim strEvent
    Dim hitCount
    Dim idx
    Dim hitCountDrives
    Dim idxDrive
    Dim softwareId
    Dim propertyValue
    Dim propertyString
    Dim DriveId
    Dim response
    Dim RecoveryPassword
    Dim POAType
    Dim MachineName
    Dim DriveName
    Dim EncryptionState
    Dim objKeyFile
    Dim strPath
    Dim KeyFileName
    Dim objLogFile
    Dim Counter
    
    Const ForWriting = 2  
    
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set objWshShell = CreateObject("WScript.Shell")
    
    Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\"
    Dim bekDestinationFileName
    Dim bekDestinationDirectory
    
    If strPath = "" Then 
    	strPath = Wscript.ScriptFullName
    	strPath = Mid(strPath,1,InstrRev(strPath,".")-1)
    End If
    
    Set objLogFile = FSO.OpenTextFile(strPath & ".log", 8,True)
    
    Sub WriteError (Text)
    	objLogFile.WriteLine now() & " : " & Text & " - Exiting!"
    	objLogFile.Close
    	Wscript.Quit 
    End Sub
    
    Sub WriteInfo (Text)
    	objLogFile.WriteLine now() & " : " & Text
    End Sub
    
    
    
    
    Set Scripting = wscript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base")
    Set ScriptingCR = Scripting.CreateCRClassInstance()
    Set ScriptingDirectory = Scripting.CreateDirectoryClassInstance()
    Set ScriptingInventory = Scripting.CreateInventoryClassInstance()
    
    result = scripting.Initialize()
    WriteInfo "Scripting.Initialize result: " & result
    
    result = scripting.AuthenticateService()
    WriteInfo "Scripting.AuthenticateService() result: " & result
    
    result = scriptingCR.Initialize()
    WriteInfo "ScriptingCR.Initialize result: " & result
    
    result = scriptingDirectory.Initialize()
    WriteInfo "ScriptingDirectory.Initialize result: " & result
    
    result = ScriptingInventory.Initialize()
    WriteInfo "ScriptingInventory.Initialize result: " & result
    
    result = ScriptingDirectory.GetObjectInitialize("*","",1,hitcount) 
    WriteInfo "ScriptingDirectory.GetObjectInitialize result: " & result
    WriteInfo "ScriptingDirectory.GetObjectInitialize hitCount: " & hitCount
    If result=0 and hitCount>0 Then 
     For counter=0 to hitCount-1
       result = ScriptingDirectory.GetObjectByIndex(counter, adsMachine,otype)
       WriteInfo "ScriptingDirectory.GetObjectByIndex result: " & result
       If result = 0 Then
    		WriteInfo "****************************************************************"
    		result = ScriptingInventory.GetComputerInventory(adsMachine, "MachineName", propertyValue, propertyString)
    		MachineName = propertyString
    		WriteInfo "MachineName: " & MachineName
    		result = ScriptingInventory.GetComputerInventory(adsMachine, "POAType", propertyValue, propertyString)
    		POAType = propertyValue
    		WriteInfo "POAType: " & POAType
    		If POAType = "2" Then
    			result = ScriptingInventory.GetDriveInventoryIdInitialize(adsMachine,hitCountDrives)
    			WriteInfo "ScriptingInventory.GetDriveInventoryIdInitialize result: " & result
    			idxDrive=0
    			Do While idxDrive < hitCountDrives
    				result = ScriptingInventory.GetDriveInventoryIdByIndex(idxDrive,driveId)
    				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "DriveName", propertyValue, propertyString)
    				DriveName = propertyString
    				WriteInfo "DriveName: " & DriveName
    				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "State", propertyValue, propertyString)
    				EncryptionState = propertyValue
    				WriteInfo "EncryptionState: " & EncryptionState
    				If EncryptionState = "2" Then
    					bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
    					If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
    						FSO.CreateFolder(bekDestinationDirectory)
    					End If
    					result=ScriptingCR.BitLockerRecovery(adsMachine, DriveName, response)
    					WriteInfo "ScriptingCR.BitLockerRecovery result: " & result
    					if Len(response) = 48 Then
    						KeyFileName = bekDestinationDirectory & "Drive_" & DriveName & ".txt"
    						WriteInfo "Writing recovery password to file: " & KeyFileName
    						RecoveryPassword = Mid(response,1,6) & " " & Mid(response,6,6) & " " & Mid(response,12,6) & " " & Mid(response,18,6) & " " & Mid(response,24,6) & " " & Mid(response,30,6) & " " & Mid(response,36,6) & " " & Mid(response,42,6)
    						WriteInfo "Recovery Password :" & RecoveryPassword
    						Set objKeyFile = FSO.OpenTextFile(KeyFileName, ForWriting, True, 0  )
    						objKeyFile.WriteLine(RecoveryPassword)
    						objKeyFile.Close
    						Set objKeyFile = Nothing 
    					Else 
    					  WriteInfo "ERROR: Invalid Recovery Password" & response
    					End If
    				End if
    				idxDrive=idxDrive+1
    			Loop
    			result = ScriptingInventory.GetDriveInventoryIdFinalize()
    		ElseIf POAType = "5" Then
    			bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
    			If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
    				FSO.CreateFolder(bekDestinationDirectory)
    			End If
    			result = ScriptingCR.ExportBitLockerRecoveryKey(adsMachine, bekDestinationDirectory, bekDestinationFileName)
    			If result = 0 Then
    			 WriteInfo "Key file succesfully written to file :" & bekDestinationFileName
    			Else
    			 WriteInfo "ERROR: Failed to export key file with error code: " & result
    			End If
    		End If
       End If
     Next
    End If
    
    result = ScriptingDirectory.GetObjectFinalize()
    
    'Final
    result = ScriptingInventory.FreeResources()
    result = ScriptingDirectory.FreeResources()
    result = ScriptingCR.FreeResources()
    result = Scripting.FreeResources()
    
    objLogFile.Close
    Wscript.Quit 

  • It's a VBS script Dan - So copy and paste it into Notepad (or similar) and rename to "something.vbs"

  • Copy and paste the whole script into Notepad.  Search the text for "DestinationDirectoryRoot" or where it says "c:\SGNData\BLRecoveryKeys" in the script change this to suit your own variables - or create the same two folders I did in the same location on C Drive! Save the changes and then run the script on the server. 

  • Running it as Admin and on the SafeGuard server? I've not used it in a few years but will have a look again and see it still works as expected

  • Thanks, as doesn't give me the option to run as admin

  • Open a command prompt as Admin Dan. I would imagine you're running 64 bit too, so don't forget to run the 64 bit version of cscript.

    So - Admin command prompt "c:\windows\syswow64\cscript c:\sgndata\BLRecoveryKeys\keys.vbs" in your case/screenshot I think.

  • Just ran it again on the server Dan and all still works well! Good luck...

  • Works fine thanks, so just creates the folders of each computer name with the rk in

Reply Children
  • Yup! Slight smile You could modify it to merge into one but it's probably best this way. Obviously now they're exported they're static keys so if the key rotates it'll be out of date (like a TPM/motherboard replacement etc...) You could always set this to run on a schedule to keep it more "current" but it works well for what it is. Don't forget to secure this somewhere - it's now open to people bypassing your control methods if they just need to open a plain text file and not log a helpdesk ticket etc.... :)