Getting your Bitlocker keys out of AD
Posted by BPuhl on October 14, 2010
I often talk about my perspective that AD is a great publishing engine, but that it should not be authoritative for anything. Any mission critical data should be mastered outside of AD, and then sync’d into the directory to be published/consumed.
The problem with this, is when you have services which source their information in AD directly, but that data is still mission critical. One example of this, would be BitLocker Drive Encryption recovery keys. The BDE service on clients will write it’s recovery keys directly into AD.
Before MSIT broadly deployed Bitlocker, we worked with an internal team to build a solution for finding new BDE recovery keys, and copying them out of AD into an external store. We even went a step further, and put some self-service recovery options in front of that store.
I’m happy to see that MSIT was able to publish this solution out to Codeplex, so we can share it with everyone.
If you’ve got Bitlocker deployed in your environment, but are ONLY storing the recovery keys in AD – you may want to take a look.