Data Recovery Agents with BitLocker®
You can use data recovery agent accounts in order to decrypt BitLocker drive encryption.
A user must add the data recovery agent, who is a certified person capable of decryption a protected drive, to Public Key Policies\BitLocker Drive Encryption in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor.
A data recovery agent can be configured for a drive and you must also enable and configure the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an identification field is present on a drive and is identical to the value configured on the computer.
To create data recovery agents with BitLocker, you must have configured the BitLocker identification field and identified the data recovery agents in the Public Key Policies Group Policy settings for Windows 7 BitLocker Drive Encryption.
Steps to perform these tasks:
You should be a member of local administrator group in order to perform these tasks.
To assign a BitLocker identification field to a BitLocker-protected drive follow given steps:
1. Log on as an administrator to the computer where you want to assign the identification field.
2. Open a Command Prompt. Click Start, type cmd in the Search programs and files box.
3. At the command prompt, type the following command, replacing <drive letter> by the drive letter identifier (for example, E:) of the BitLocker-protected drive - manage-bde -SetIdentifier <drive letter>
4. The Manage-bde command-line tool will set the identification field to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
5. After the value has been set, Manage-bde will display a message informing you that the drive identifier has been set.
To configure an identification field:
1. Click BitLocker Drive Encryption in the GPMC or Local Group Policy Editor under Computer Configuration\Administrative Templates\Windows Components, to show the policy settings.
2. Double-click the Provide the unique identifiers for your organization policy setting in the details pane.
3. Click Enable. In BitLocker Identification Field, enter the identification field for your organization.
4. Click OK to apply and close the policy setting.
To configure a data recovery agent:
1. Open GPMC or the Local Group Policy Editor.
2. In the console tree under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption.
3. Click Add Data Recovery Agent to start the Add Recovery Agent Wizard. Click Next.
4. On the Select Recovery Agentspage, click Browse Folders, and select a .cer file to use as a data recovery agent. After the file is selected, it will be imported and will appear in the Recovery agents list in the wizard. Multiple data recovery agents can be specified. After you have specified all the data recovery agents that you want to use, click Next.
5. The Completing the Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy. Click Finish to confirm the data recovery agents, and close the wizard.