Encryption Recovery v10.9 December 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2020 Dell Inc. All rights reserved.
Contents Chapter 1: Getting Started with Recovery..................................................................................... 5 Contact Dell ProSupport....................................................................................................................................................5 Chapter 2: Policy-Based or File/Folder Encryption Recovery.........................................................6 Perform System Data Encryption or FFE Recovery.......................................
Challenge Recovery with Full Disk Encryption..................................................................................................... 42 Chapter 7: PBA Device Control.................................................................................................... 46 Use PBA Device Control..................................................................................................................................................46 Chapter 8: General Purpose Key Recovery....................
1 Getting Started with Recovery This section details what is needed to create the recovery environment. ● CD-R, DVD-R media, or formatted USB media ○ If burning a CD or DVD, review Burning the Recovery Environment ISO to CD\DVD for details. ○ If using USB media, review Burning the Recovery Environment on Removable Media for details. ● Recovery Bundle for failed device ○ For remotely managed clients, instructions that follow explain how to retrieve a recovery bundle from your Dell Security Management Server.
2 Policy-Based or File/Folder Encryption Recovery Recovery is needed when the encrypted computer will not boot to the operating system. This occurs when the registry is incorrectly modified or hardware changes have occurred on an encrypted computer. With Policy-Based Encryption or File/Folder Encryption (FFE) recovery, you can recover access to the following: ● ● ● ● ● A A A A A computer that does not boot and that displays a prompt to perform SDE Recovery.
e. Enter a password to download the Device Recovery Keys. f. Copy the Device Recovery Keys to a location where it can be accessed when booted into WinPE. Obtain the Recovery File - Locally Managed Computer To obtain the Encryption Personal recovery file: 1. Locate the recovery file named LSARecovery_ .exe file. This file was stored on a network drive or removable storage when you went through Setup Wizard while installing Encryption Personal.
2. Copy LSARecovery_ .exe to the target computer (the computer to recover data). Perform a Recovery 1. Using the bootable media created earlier, boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE Environment opens. NOTE: Disable SecureBoot before the recovery process. When finished, re-enable SecureBoot. 2. Enter x and press Enter to get a command prompt. 3. Navigate to the recovery file and launch it.
4. Select one option: ● My system fails to boot and displays a message asking me to perform SDE Recovery. This will allow you to rebuild the hardware checks that the Encryption client performs when you boot into the OS. ● My system does not allow me to access encrypted data, edit policies, or is being reinstalled. Use this if the Hardware Crypto Accelerator card or the motherboard/TPM must be replaced. 5.
6. In the dialog that lists the computer's volumes, select all applicable drives and click Next. Shift-click or control-click to highlight multiple drives. If the selected drive is not Policy-Based or FFE-encrypted, it will fail to recover. 7. Enter your recovery password and click Next. With a remotely managed client, this is the password provided in step e in Obtain the Recovery File - Remotely Managed Computer.
8. In the Recover dialog, click Recover. The recovery process begins. 9. When recovery is complete, click Finish. NOTE: Be sure to remove any USB or CD\DVD media that was used to boot the machine. Failure to do this may result in booting back into the recovery environment. 10. After the computer reboots, you should have a fully functioning computer. If problems persist, contact Dell ProSupport.
open or copy a file, an Access Denied error will appear. When connecting a Dell Encrypted drive to a system that does not currently have Dell Encryption installed, attempting to open data will result in cipher text being displayed. Recover Encrypted Drive Data To recover encrypted drive data: 1. To obtain the DCID/Recovery ID from the computer, choose one option: a. Run WSScan on any folder where Common encrypted data is stored. The eight-character DCID/Recovery ID displays after "Common." b.
2. To download the key from the Server, navigate to and run the Dell Administrative Unlock (CMGAu) utility. The Dell Administrative Unlock utility can be obtained from Dell ProSupport. 3. In the Dell Administrative Utility (CMGAu) dialog, enter the following information (some fields may be prepopulated) and click Next.
Server: Fully Qualified Hostname of the Server, for example: Device Server (Pre 8.x clients): https://:8081/xapi Security Server: https://
6. After you recover the files and are ready to re-lock the files, click Finish. After you click Finish, the encrypted files are no longer available .
3 Hardware Crypto Accelerator Recovery NOTE: Hardware Crypto Accelerator is not supported, beginning with v8.9.3. With Hardware Crypto Accelerator (HCA) Recovery, you can recover access to the following: ● Files on an HCA encrypted drive - This method decrypts the drive using the keys provided. You can select the specific drive that you need to decrypt during the recovery process.
2. In the Hostname field, enter the fully qualified domain name of the endpoint and click Search. 3. In the Recovery window, enter a recovery Password and click Download. NOTE: You must remember this password to access the recovery keys. Obtain the Recovery File - Locally Managed Computer To obtain the Encryption Personal recovery file: 1. Locate the recovery file named LSARecovery_ .exe file.
2. Copy LSARecovery_ .exe to the target computer (the computer to recover data). Perform a Recovery 1. Using the bootable media created earlier, boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE Environment opens. NOTE: Disable SecureBoot before the recovery process. When finished, enable SecureBoot. 2. Type x and press Enter to get to a command prompt. 3. Navigate to the saved recovery file and launch it.
4. Select one option: ● I want to decrypt my HCA encrypted drive. ● I want to restore access to my HCA encrypted drive. 5. In the Backup and Recovery Information dialog, confirm that the Service Tag or Asset number is correct and click Next.
6. In the dialog that lists the computer's volumes, select all applicable drives and click Next. Shift-click or control-click to highlight multiple drives. If the selected drive is not HCA encrypted, it will fail to recover. 7. Enter your recovery password and click Next. On a remotely managed computer, this is the password provided in step 3 in Obtain the Recovery File - Remotely Managed Computer.
8. In the Recover dialog, click Recover. The recovery process begins. 9. When prompted, browse to the saved recovery file and click OK.
If you are performing a full decryption, the following dialog displays status. This process may require some time. 10. When the message displays to indicate that recovery completed successfully, click Finish. The computer reboots.
After the computer reboots, you should have a fully functioning computer. If problems persist, contact Dell ProSupport.
4 Self-Encrypting Drive (SED) Recovery With SED Recovery, you can recover access to files on a SED through the following methods: ● Perform a one-time unlock of the drive to bypass the Preboot Authentication (PBA). ● Unlock, then permanently remove the PBA from the drive. Single Sign-On will not function with the PBA removed.
Obtain the Recovery File - Locally Managed SED Client Obtain the recovery file. The file was generated and is accessible from the backup location you selected when Advanced Authentication was installed on the computer. The filename is OpalSPkey.dat. Perform a Recovery 1. Using the bootable media created earlier, boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE environment opens with the recovery application.
4. Select one option and click OK. ● One-time unlock of the drive - This method bypasses the PBA. ● Unlock drive and remove PBA - This method unlocks, then permanently removes the PBA from the drive. Removing the PBA will require you to deactivate the product from the Remote Management Console (for a remotely managed SED client) or inside the OS (for a locally managed SED client) if it is necessary to re-enable the PBA in the future. Single Sign-On will not function with the PBA removed.
5. Recovery is now completed. Press any key to return to the menu. 6. Press r to reboot the computer.
NOTE: Be sure to remove any USB or CD\DVD media that was used to boot the computer. Failure to do this may result in booting back into the recovery environment. 7. After the computer reboots, you should have a fully functioning computer. If problems persist, contact Dell ProSupport. Challenge Recovery with SED Bypass the PreBoot Authentication Environment NOTE: The Challenge Response recovery method is available only to domain user accounts.
The Challenge Code is provided to the help desk technician who inputs the data, and then clicks the Generate Response button. This resulting data is color-coordinated to help discern between numerals (red) and alphabet characters (blue). This data is read to the end user, who enters it into the PBA environment and then clicks the Submit button, moving the user into Windows.
After successful authentication, the following message appears: Challenge recovery is complete.
5 Full Disk Encryption Recovery Recovery enables you to recover access to files on a drive encrypted with Full Disk Encryption. NOTE: Decryption should not be interrupted. If decryption is interrupted, data loss may occur. Recovery Requirements For Full Disk Encryption recovery, you need the following: ● Access to the recovery environment ISO ● Bootable CD\DVD or USB media Overview of the Recovery Process NOTE: Recovery requires a 64-bit environment. To recover a failed system: 1.
Perform a Recovery 1. Using the bootable media created earlier, boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE environment opens with the recovery application. NOTE: Disable SecureBoot before the recovery process. When finished, re-enable SecureBoot. 2. Choose option one and press Enter. 3. Select Browse, locate the recovery file, and then click Open.
4. Click OK.
● 5. Recovery is now completed. Press any key to return to the menu. 6. Press r to reboot the computer. NOTE: Be sure to remove any USB or CD\DVD media that was used to boot the computer. Failure to do this may result in booting back into the recovery environment. 7. After the computer reboots, you should have a fully functioning computer. If problems persist, contact Dell ProSupport.
The following information appears after selecting Challenge Response. The Device Name field is used by the help desk technician within the Remote Management Console to find the correct device, and then a username is selected. This is found within Management > Recover Data under the PBA tab.
The Challenge Code is provided to the help desk technician who inputs the data, and then clicks the Generate Response button. This resulting data is color-coordinated to help discern between numerals (red) and alphabet characters (blue). This data is read to the end user, who enters it into the PBA environment and then clicks the Submit button, moving the user into Windows.
After successful authentication, the following message appears: Challenge recovery is complete.
6 Full Disk Encryption and Dell Encryption Recovery This chapter details the recovery steps required to recover access to Dell Encryption protected files on a disk protected with Full Disk Encryption. NOTE: Decryption should not be interrupted. If decryption is interrupted, data loss may occur. Recovery Requirements For Full Disk Encryption and Dell Encryption recovery, you need the following: ● Access to the recovery environment ISO ● Bootable CD\DVD or USB media Overview of the Recovery Process NOTE: Fu
Obtain the Recovery File - Policy-Based Encryption or FFE Encryption Client Obtain the recovery file. The recovery file can be downloaded from the Management Console. To download the Disk Recovery Keys generated when you installed Dell Encryption: a. b. c. d. Open the Management Console and, from the left pane, select Populations > Endpoints. Enter the hostname of the endpoint, then click Search. Select the name of the endpoint. Click Device Recovery Keys. e.
f. Copy the Device Recovery Keys to a location where it can be accessed when booted into WinPE. Perform a Recovery 1. Using the bootable media created earlier, boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE environment opens with the recovery application. NOTE: Disable SecureBoot before the recovery process. When finished, re-enable SecureBoot. 2. Choose option three and press Enter. 3.
4. Using the Recovery Key, the Full Disk encrypted disk is mounted. ● 5. Navigate to the CMGAu.exe utility using the following command: cd DDPEAdminUtilities\ 6. Launch the CMGAu.exe using the following command: \DDPEAdminUtilities>CmgAu.exe Select Yes, work offline with a previously downloaded file. 7. In the Downloaded file: field, enter the location of the Recovery Bundle then enter the Passphrase of the Forensic Administrator and select Next.
When recovery is complete, click Finish. NOTE: Be sure to remove any USB or CD\DVD media that was used to boot the computer. Failure to do this may result in booting back into the recovery environment. 8. After the computer reboots, you should have access to encrypted files. If problems persist, contact Dell ProSupport.
The Device Name field is used by the help desk technician within the Remote Management Console to find the correct device, and then a username is selected. This is found within Management > Recover Data under the PBA tab. The Challenge Code is provided to the help desk technician who inputs the data, and then clicks the Generate Response button.
This resulting data is color-coordinated to help discern between numerals (red) and alphabet characters (blue). This data is read to the end user, who enters it into the PBA environment and then clicks the Submit button, moving the user into Windows.
Challenge recovery is complete.
7 PBA Device Control PBA Device Control applies to endpoints encrypted with SED or Full Disk Encryption. Use PBA Device Control PBA commands for a specific endpoint are carried out in the PBA Device Control area. Each command has a priority ranking. A command with a higher priority rank cancels commands of lower priorities in the enforcement queue. For a list of command priority rankings, see AdminHelp available by clicking the ? in the Remote Management Console.
8 General Purpose Key Recovery The General Purpose Key (GPK) is used to encrypt part of the registry for domain users. However, during the boot process, in rare cases, it might become corrupted and fail to unseal. If so, the following errors display in the CMGShield.log file on the client computer: [12.06.13 07:56:09:622 GeneralPurposeK: 268] GPK - Failure while unsealing data [error = 0xd] [12.06.13 07:56:09:622 GeneralPurposeK: 631] GPK - Unseal failure [12.06.
The .exe file is downloaded. Perform a Recovery 1. Create bootable media of the recovery environment. For instructions, see Appendix A - Burning the Recovery Environment. NOTE: Disable SecureBoot before the recovery process. When finished, enable SecureBoot. 2. Boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE Environment opens. 3. Enter x and press Enter to get to a command prompt. 4.
5. At an administrative command prompt, run .exe > -p -gpk It returns the GPKRCVR.txt for your computer. 6. Copy the GPKRCVR.txt file to the root of the OS drive of the computer. 7. Reboot the computer. The GPKRCVR.txt file will be consumed by the operating system and will regenerate the GPK on that computer. 8. If prompted, reboot again.
9 BitLocker Manager Recovery To recover data, you obtain a recovery password or key package from the Management Console, which then allows you to unlock data on the computer. Recover Data 1. As a Dell Administrator, log in to the Management Console. 2. In the left pane, click Management > Recover Data. 3. Click the Manager tab. 4. For BitLocker: Enter the Recovery ID received from BitLocker. Optionally, if you enter the Hostname and Volume, the Recovery ID is populated.
Enter the Hostname. Click Get Recovery Password or Create Key Package. Depending on how you want to recover, you will use this recovery password or key package to recover data. 5. To complete the recovery, see one of the following: ● Windows 7 ● Windows 8 ● Windows 10 NOTE: If BitLocker Manager does not "own" the TPM, the TPM password and key package are not available in the Dell database. You will receive an error message stating that Dell cannot find the key, which is the expected behavior.
10 Password Recovery Users commonly forget their password. Fortunately, there are multiple ways for users to regain access to a computer with Preboot Authentication when they do. ● The Recovery Questions feature offers question- and- answer-based authentication. ● Challenge/Response Codes lets users work with their Administrator to regain access to their computer. This feature is available only to users who have computers that are managed by their organization.
3. When the Q&A dialog appears, enter the answers that you supplied when you enrolled in Recovery Questions the first time you signed in.
Password Recovery
11 Encryption External Media Password Recovery Encryption External Media gives you the ability to protect removable storage media both in and outside of your organization by allowing users to encrypt USB flash drives and other removable storage media. The user assigns a password to each removable media device they want to protect. This section describes the process for recovering access to an encrypted USB storage device when a user forgets a device's password.
4. As a Help Desk Administrator, log into the Remote Management Console - the Help Desk Administrator's account must have Help Desk privileges. 5. Navigate to the Recover Data menu option on the left pane. 6. Enter the codes provided by the end-user. 7. Click the Generate Response button at the bottom right-hand corner of the screen. 8. Give the user the Access Code. NOTE: Be sure to manually authenticate the user prior to providing an Access Code.
9. Reset your password for the encrypted media. The user is prompted to reset his password for the encrypted media. Self-Recovery The drive must be inserted back into the machine that originally encrypted it for the Self-Recovery to work. As long as the media owner is authenticated to the protected Mac or PC, the client detects the loss of key material and prompts the user to re-initialize the device. At that time, the user can reset their password and regain access to their encrypted data.
If successful, a small notification appears to indicate that the password was accepted. 4. Navigate to the storage device and confirm access to the data.
12 Appendix A - Download the Recovery Environment The pre-built WinPE Recovery environment can be downloaded here or requested through Dell ProSupport. Call 877-459-7304, extension 4310039 for 24x7 phone support for your Dell product. For more information about recovery, see this KB article. For phone numbers outside of the United States, see Dell ProSupport International Phone Numbers.
13 Appendix B - Creating Bootable Media Use this appendix to create bootable media. Burning the Recovery Environment ISO to CD\DVD The following link contains the process needed to use Microsoft Windows 7, Windows 8, or Windows 10 to create a bootable CD or DVD for the recovery environment. http://windows.microsoft.com/en-us/windows7/burn-a-cd-or-dvd-from-an-iso-file Burning the Recovery Environment on Removable Media To create a bootable USB, us the following instructions: Legacy boot: 1.