This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Safeguard Recovery Key Dump

Hello there,

I was wondering if there was a way to get a dump of all recovery keys stored in Sophos Safeguard either through a SQL query to the database or through the Safeguard API. I have not used the API before so if the process involves that, as much information as possible is appreciated!

Thanks



This thread was automatically locked due to age.
Parents
  • Sorry Michael - I forgot to come back and update this! This is a VBS script - If 64 bit (nearly all servers are these days) It has to be run from 64 bit ( c:\windows\syswow64\cscript bitlockerexport.vbs)

    You'll need to set the directory on your machine - it's here - 

    Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\"

     

    Option Explicit
    
    Dim scripting
    Dim scriptingCR
    Dim ScriptingDirectory
    Dim ScriptingInventory
    Dim result
    Dim ret
    Dim errorText
    Dim Computername
    Dim adsMachine
    Dim otype
    Dim objArgs
    Dim FSO
    dim email
    dim yn
    Dim objMessage
    Dim objWshShell
    Dim StrCommand
    Dim StrUser
    Dim strEvent
    Dim hitCount
    Dim idx
    Dim hitCountDrives
    Dim idxDrive
    Dim softwareId
    Dim propertyValue
    Dim propertyString
    Dim DriveId
    Dim response
    Dim RecoveryPassword
    Dim POAType
    Dim MachineName
    Dim DriveName
    Dim EncryptionState
    Dim objKeyFile
    Dim strPath
    Dim KeyFileName
    Dim objLogFile
    Dim Counter
    
    Const ForWriting = 2  
    
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set objWshShell = CreateObject("WScript.Shell")
    
    Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\"
    Dim bekDestinationFileName
    Dim bekDestinationDirectory
    
    If strPath = "" Then 
    	strPath = Wscript.ScriptFullName
    	strPath = Mid(strPath,1,InstrRev(strPath,".")-1)
    End If
    
    Set objLogFile = FSO.OpenTextFile(strPath & ".log", 8,True)
    
    Sub WriteError (Text)
    	objLogFile.WriteLine now() & " : " & Text & " - Exiting!"
    	objLogFile.Close
    	Wscript.Quit 
    End Sub
    
    Sub WriteInfo (Text)
    	objLogFile.WriteLine now() & " : " & Text
    End Sub
    
    
    
    
    Set Scripting = wscript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base")
    Set ScriptingCR = Scripting.CreateCRClassInstance()
    Set ScriptingDirectory = Scripting.CreateDirectoryClassInstance()
    Set ScriptingInventory = Scripting.CreateInventoryClassInstance()
    
    result = scripting.Initialize()
    WriteInfo "Scripting.Initialize result: " & result
    
    result = scripting.AuthenticateService()
    WriteInfo "Scripting.AuthenticateService() result: " & result
    
    result = scriptingCR.Initialize()
    WriteInfo "ScriptingCR.Initialize result: " & result
    
    result = scriptingDirectory.Initialize()
    WriteInfo "ScriptingDirectory.Initialize result: " & result
    
    result = ScriptingInventory.Initialize()
    WriteInfo "ScriptingInventory.Initialize result: " & result
    
    result = ScriptingDirectory.GetObjectInitialize("*","",1,hitcount) 
    WriteInfo "ScriptingDirectory.GetObjectInitialize result: " & result
    WriteInfo "ScriptingDirectory.GetObjectInitialize hitCount: " & hitCount
    If result=0 and hitCount>0 Then 
     For counter=0 to hitCount-1
       result = ScriptingDirectory.GetObjectByIndex(counter, adsMachine,otype)
       WriteInfo "ScriptingDirectory.GetObjectByIndex result: " & result
       If result = 0 Then
    		WriteInfo "****************************************************************"
    		result = ScriptingInventory.GetComputerInventory(adsMachine, "MachineName", propertyValue, propertyString)
    		MachineName = propertyString
    		WriteInfo "MachineName: " & MachineName
    		result = ScriptingInventory.GetComputerInventory(adsMachine, "POAType", propertyValue, propertyString)
    		POAType = propertyValue
    		WriteInfo "POAType: " & POAType
    		If POAType = "2" Then
    			result = ScriptingInventory.GetDriveInventoryIdInitialize(adsMachine,hitCountDrives)
    			WriteInfo "ScriptingInventory.GetDriveInventoryIdInitialize result: " & result
    			idxDrive=0
    			Do While idxDrive < hitCountDrives
    				result = ScriptingInventory.GetDriveInventoryIdByIndex(idxDrive,driveId)
    				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "DriveName", propertyValue, propertyString)
    				DriveName = propertyString
    				WriteInfo "DriveName: " & DriveName
    				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "State", propertyValue, propertyString)
    				EncryptionState = propertyValue
    				WriteInfo "EncryptionState: " & EncryptionState
    				If EncryptionState = "2" Then
    					bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
    					If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
    						FSO.CreateFolder(bekDestinationDirectory)
    					End If
    					result=ScriptingCR.BitLockerRecovery(adsMachine, DriveName, response)
    					WriteInfo "ScriptingCR.BitLockerRecovery result: " & result
    					if Len(response) = 48 Then
    						KeyFileName = bekDestinationDirectory & "Drive_" & DriveName & ".txt"
    						WriteInfo "Writing recovery password to file: " & KeyFileName
    						RecoveryPassword = Mid(response,1,6) & " " & Mid(response,6,6) & " " & Mid(response,12,6) & " " & Mid(response,18,6) & " " & Mid(response,24,6) & " " & Mid(response,30,6) & " " & Mid(response,36,6) & " " & Mid(response,42,6)
    						WriteInfo "Recovery Password :" & RecoveryPassword
    						Set objKeyFile = FSO.OpenTextFile(KeyFileName, ForWriting, True, 0  )
    						objKeyFile.WriteLine(RecoveryPassword)
    						objKeyFile.Close
    						Set objKeyFile = Nothing 
    					Else 
    					  WriteInfo "ERROR: Invalid Recovery Password" & response
    					End If
    				End if
    				idxDrive=idxDrive+1
    			Loop
    			result = ScriptingInventory.GetDriveInventoryIdFinalize()
    		ElseIf POAType = "5" Then
    			bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
    			If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
    				FSO.CreateFolder(bekDestinationDirectory)
    			End If
    			result = ScriptingCR.ExportBitLockerRecoveryKey(adsMachine, bekDestinationDirectory, bekDestinationFileName)
    			If result = 0 Then
    			 WriteInfo "Key file succesfully written to file :" & bekDestinationFileName
    			Else
    			 WriteInfo "ERROR: Failed to export key file with error code: " & result
    			End If
    		End If
       End If
     Next
    End If
    
    result = ScriptingDirectory.GetObjectFinalize()
    
    'Final
    result = ScriptingInventory.FreeResources()
    result = ScriptingDirectory.FreeResources()
    result = ScriptingCR.FreeResources()
    result = Scripting.FreeResources()
    
    objLogFile.Close
    Wscript.Quit 

  • Michael,

    One additional question I had is that this script should not rotate the keys correct? That only happens when a key is viewed in the console?

    Thanks again,

    Michael 

  • Hi other Michael!

    The client knows the key has been used and then rotates, not the server. This should only happen if a hardware change has happened, or the key is used. The new key should then sync with the server and the server will have the updated key. 

    I wish I could take credit for the script but it’s sadly not my handy work. You could always automate a run of this script though to have latest data exported. 

    I would make sure you have a plan to move away from SafeGuard with either Central if you want to stay with Sophos or another provider. July 2023 is the official end of life for SafeGuard and Sophos have announced that Ventura will NOT support SafeGuard and that’s out very soon! Best o have your migration plan sorted to start moving away asap. 

    all the best 

    Other Michael 

  • Ah right thank you for the clarification.

    And yes, we have a migration plan that we are actively executing, and this was the last unsolved piece of the puzzle.

    Thanks again!

    Michael 

Reply Children
No Data