Dell Data Protection Recovery Guide v8.12/v1.6/v1.3/v1.12/v1.
Legend CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. © 2016 Dell Inc. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
Contents 1 Getting Started with Recovery.......................................................................................................................5 Contact Dell ProSupport................................................................................................................................................... 5 2 Policy-Based or File/Folder Encryption Recovery..........................................................................................6 Overview of the Recovery Process.....
10 Secure Lifecycle Recovery......................................................................................................................... 44 Recovery Requirements.................................................................................................................................................. 44 Perform Secure Lifecycle Recovery..............................................................................................................................
1 Getting Started with Recovery This section details what is needed to create the recovery environment. • Downloaded copy of the recovery environment software - located in the Windows Recovery Kit folder in the Dell Data Protection installation media • CD-R, DVD-R media, or formatted USB media • • If burning a CD or DVD, review Burning the Recovery Environment ISO to CD\DVD for details. • If using USB media, review Burning the Recovery Environment on Removable Media for details.
2 Policy-Based or File/Folder Encryption Recovery With Policy-Based Encryption or File/Folder Encryption (FFE) recovery, you can recover access to the following: • A computer that does not boot and that displays a prompt to perform SDE Recovery. • A computer on which you cannot access encrypted data or edit policies. • A server running Dell Data Protection | Server Encryption that meets either of the preceding conditions.
NOTE: You must remember this password to access the recovery keys. 4 Copy the .exe file to a location where it can be accessed when booted into WinPE. Obtain the Recovery File - Locally Managed Computer To obtain the Personal Edition recovery file: 1 Locate the recovery file named LSARecovery_ .exe file. This file was stored on a network drive or removable storage when you went through Setup Wizard while installing Personal Edition.
3 Navigate to the recovery file and launch it. 4 Select one option: • My system fails to boot and displays a message asking me to perform SDE Recovery. This will allow you to rebuild the hardware checks that the Encryption client performs when you boot into the OS. • My system does not allow me to access encrypted data, edit policies, or is being reinstalled. Use this if the Hardware Crypto Accelerator card or the motherboard/TPM must be replaced.
5 In the Backup and Recovery Information dialog, confirm that the information about the client computer to be recovered is correct and click Next. When recovering non-Dell computers, the SerialNumber and AssetTag fields will be blank. 6 In the dialog that lists the computer's volumes, select all applicable drives and click Next. Shift-click or control-click to highlight multiple drives. If the selected drive is not Policy-Based or FFE-encrypted, it will fail to recover.
7 Enter your recovery password and click Next. With a remotely managed client, this is the password provided in step 3 in Obtain the Recovery File - Remotely Managed Computer. In Personal Edition, the password is the Encryption Administrator Password set for the system at the time the keys were escrowed. 8 10 In the Recover dialog, click Recover. The recovery process begins.
9 When recovery is complete, click Finish. NOTE: Be sure to remove any USB or CD\DVD media that was used to boot the machine. Failure to do this may result in booting back into the recovery environment. 10 After the computer reboots, you should have a fully functioning computer. If problems persist, contact Dell ProSupport.
3 Hardware Crypto Accelerator Recovery With Dell Data Protection Hardware Crypto Accelerator (HCA) Recovery, you can recover access to the following: • Files on an HCA encrypted drive - This method decrypts the drive using the keys provided. You can select the specific drive that you need to decrypt during the recovery process. • An HCA encrypted drive after a hardware replacement - This method is used after you must replace the Hardware Crypto Accelerator card or a motherboard/TPM.
2 In the Hostname field, enter the fully qualified domain name of the endpoint and click Search. 3 In the Enhanced Recovery window, enter a recovery Password and click Download. NOTE: You must remember this password to access the recovery keys. Obtain the Recovery File - Locally Managed Computer To obtain the Personal Edition recovery file: 1 Locate the recovery file named LSARecovery_ .exe file.
2 Copy LSARecovery_ .exe to the target computer (the computer to recover data). Perform a Recovery 1 Using the bootable media created earlier, boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE Environment opens. 2 Type x and press Enter to get to a command prompt. 3 Navigate to the saved recovery file and launch it.
4 5 Select one option: • I want to decrypt my HCA encrypted drive. • I want to restore access to my HCA encrypted drive. In the Backup and Recovery Information dialog, confirm that the Service Tag or Asset number is correct and click Next.
6 In the dialog that lists the computer's volumes, select all applicable drives and click Next. Shift-click or control-click to highlight multiple drives. If the selected drive is not HCA encrypted, it will fail to recover. 7 Enter your recovery password and click Next. On a remotely managed computer, this is the password provided in step 3 in Obtain the Recovery File - Remotely Managed Computer.
8 In the Recover dialog, click Recover. The recovery process begins. 9 When prompted, browse to the saved recovery file and click OK.
If you are performing a full decryption, the following dialog displays status. This process may require some time. 10 18 When the message displays to indicate that recovery completed successfully, click Finish. The computer reboots.
After the computer reboots, you should have a fully functioning computer. If problems persist, contact Dell ProSupport.
4 Self-Encrypting Drive (SED) Recovery With SED Recovery, you can recover access to files on a SED through the following methods: • • Perform a one-time unlock of the drive to bypass and remove Preboot Authentication (PBA). • With a remotely managed SED client, the PBA can later be enabled again through the Remote Management Console. • With a locally managed SED client, the PBA can be enabled through the Security Tools Administrator Console. Unlock, then permanently remove the PBA from the drive.
Obtain the Recovery File - Locally Managed SED Client Obtain the recovery file. The file was generated and is accessible from the backup location you selected when Dell Data Protection | Security Tools was installed on the computer. The filename is OpalSPkey.dat. Perform a Recovery 1 Using the bootable media created earlier, boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE environment opens with the recovery application.
4 22 Select one option and click OK. • One-time unlock of the drive - This method bypasses and removes the PBA. Later, it can be enabled again through the Remote Management Console (for a remotely managed SED client) or through the Security Tools Administrator Console (for a locally managed SED client). • Unlock drive and remove PBA - This method unlocks, then permanently removes the PBA from the drive.
5 Recovery is now completed. Press any key to return to the menu.
6 Press r to reboot the computer. NOTE: Be sure to remove any USB or CD\DVD media that was used to boot the computer. Failure to do this may result in booting back into the recovery environment. 7 24 After the computer reboots, you should have a fully functioning computer. If problems persist, contact Dell ProSupport.
5 General Purpose Key Recovery The General Purpose Key (GPK) is used to encrypt part of the registry for domain users. However, during the boot process, in rare cases, it might become corrupted and fail to unseal. If so, the following errors display in the CMGShield.log file on the client computer: [12.06.13 07:56:09:622 GeneralPurposeK: 268] GPK - Failure while unsealing data [error = 0xd] [12.06.13 07:56:09:622 GeneralPurposeK: 631] GPK - Unseal failure [12.06.
The .exe file is downloaded. Perform a Recovery 1 Create bootable media of the recovery environment. For instructions, see Appendix A - Burning the Recovery Environment. 2 Boot to that media on a recovery system or on the device with the drive you are attempting to recover. A WinPE Environment opens. 3 Enter x and press Enter to get to a command prompt. 4 Navigate to the recovery file and launch it.
5 At an administrative command prompt, run .exe > -p -gpk It returns the GPKRCVR.txt for your computer. 6 Copy the GPKRCVR.txt file to the root of the OS drive of the computer. 7 Reboot the computer. The GPKRCVR.txt file will be consumed by the operating system and will regenerate the GPK on that computer. 8 If prompted, reboot again.
6 Encrypted Drive Data Recovery If the target computer is not bootable and no hardware failure exists, data recovery can be accomplished on the computer booted into a recovery environment. If the target computer is not bootable and has failed hardware or is a USB device, data recovery can be accomplished by booting into a slaved drive. When you slave a drive, you can see the file system and browse the directories. However, if you try to open or copy a file, an Access denied error occurs.
b c 2 Open the Remote Management Console, and select the Details & Actions tab for the endpoint. In the Shield Detail section of the Endpoint Detail screen, locate the DCID/Recovery ID. To download the key from the Server, navigate to and run the Dell Administrative Unlock (CMGAu) utility. The Dell Administrative Unlock utility can be obtained from Dell ProSupport.
3 In the Dell Administrative Utility (CMGAu) dialog, enter the following information (some fields may be prepopulated) and click Next. Server: Fully Qualified Hostname of the Server, for example: Device Server: https://:8081/xapi Security Server: https://
NOTE: If the Encryption client is not installed, a message displays that Unlock failed. Move to a computer with the Encryption client installed. 5 When download and unlock are complete, copy files you need to recover from this drive. All files are readable. Do not click Finish until you have recovered the files. 6 After you recover the files and are ready to re-lock the files, click Finish. After you click Finish, the encrypted files are no longer available.
7 BitLocker Manager Recovery To recover data, you obtain a recovery password or key package from the Remote Management Console, which then allows you to unlock data on the computer. Recover Data 1 As a Dell Administrator, log in to the Remote Management Console. 2 In the left pane, click Management > Recover Data. 3 Click the Manager tab. 4 For BitLocker: Enter the Recovery ID received from BitLocker. Optionally, if you enter the Hostname and Volume, the Recovery ID is populated.
Enter the Hostname. Click Get Recovery Password or Create Key Package. Depending on how you want to recover, you will use this recovery password or key package to recover data. 5 To complete the recovery, see Microsoft's Instructions for Recovery. NOTE: If BitLocker Manager does not "own" the TPM, the TPM password and key package are not available in the Dell database. You will receive an error message stating that Dell cannot find the key, which is the expected behavior.
8 Password Recovery Users commonly forget their password. Fortunately, there are multiple ways for users to regain access to a computer with Preboot Authentication when they do. • • The Recovery Questions feature offers question- and- answer-based authentication. Challenge/Response Codes lets users work with their Administrator to regain access to their computer. This feature is available only to users who have computers that are managed by their organization.
3 When the Q&A dialog appears, enter the answers that you supplied when you enrolled in Recovery Questions the first time you signed in.
Challenge/Response Codes Challenge/Response recovery can be used to authenticate through PBA to access Windows. Challenge/Response can be used in the following scenarios: • When a user does not remember the answers supplied at time of Recovery Questions enrollment. • The Administrator has not enabled the Recovery Questions feature.
NOTE: The Challenge/Response option is only available on computers that are managed by an enterprise. If the computer is nondomain, the Challenge/Response option does not appear on the menu. 3 When prompted, the user contacts the Help Desk and gives the Administrator the Device Name (host name) and Challenge Code. 4 The Administrator opens the Remote Management Console, clicks Management > Recover Data, and then clicks SED from the top menu.
5 Under Recover SED User Access, the Administrator enters the Host Name obtained from the user, and clicks Search. 6 The Administrator selects the user name who is asking for help: 7 Enter the device code obtained from the user into the Challenge field and click Generate Response. 8 Give the generated response code to the user. NOTE: These codes are not case sensitive. The numbers are shown in red and the letters in blue.
10 Click the right arrow to continue, and to authenticate past the PBA screen. 11 Click Submit. A user can authenticate past PBA using the Challenge/Response feature only one time. After a computer restart, the PBA layer resumes protecting the computer and resumes prompting the user to sign in on the PBA screen. NOTE: After the user has displayed the Challenge/Response dialog, the user must complete the Challenge/Response sequence to regain access to the system.
9 External Media Shield Password Recovery External Media Shield (EMS) gives you the ability to protect removable storage media both in and outside of your organization by allowing users to encrypt USB flash drives and other removable storage media. The user assigns a password to each removable media device they want to protect. This section describes the process for recovering access to an encrypted USB storage device when a user forgets a device's password.
3 Contact the Help Desk Administrator and give him the codes that appear in the dialog. 4 As a Help Desk Administrator, log into the Remote Management Console - the Help Desk Administrator's account must have Help Desk privileges. 5 Navigate to the Recover Data menu option on the left pane. 6 Enter the codes provided by the end-user. 7 Click the Generate Response button at the bottom right-hand corner of the screen. 8 Give the user the Access Code.
9 Reset your password for the encrypted media. The user is prompted to reset his password for the encrypted media. Self-Recovery Self-Recovery is the process of resetting the password for an encrypted removable media device by inserting the drive back into a protected machine where the owner of the media is logged in. As long as the media owner is authenticated to the protected Mac or PC, the client detects the loss of key material and prompts the user to re-initialize the device.
If successful, a small notification appears to indicate that the password was accepted. 4 Navigate to the storage device and confirm access to the data.
10 Secure Lifecycle Recovery The recovery tool allows: • Decryption of protected Office files This includes files up to triple encryption - With more than one way to encrypt files, occasionally a file is double or triple encrypted. If the user opens the file, an error message instructs them to contact their administrator to recover them.
NOTE: Do not clear the Enable SSL Trust check box unless your administrator tells you to. NOTE: If you are not a Forensic Administrator and enter credentials, a message displays indicating you do not have login rights. If you are a Forensic Administrator, the recovery tool opens. 5 Select Source. NOTE: You must browse to a source and a destination, but you can select these in either order. 6 Click Browse to select the folder or drive to be recovered.
7 Click OK. 8 Click Destination 9 Click Browse to select a destination, such as an external device, a directory location, or the Desktop. 10 Click OK. 11 Select one or more check boxes based on what you want to recover. Options Description Escrow • • Decrypted Recover offline-generated keys that could not be escrowed to the DDP Server. If a hard drive fails while the user is offline from the network, use the slaved drive to recover data and non-escrowed keys from the computer.
The Log area displays: • Folders found and scanned within the selected source • Whether decryption was successful or failed The recovery tool adds the recovered files to the selected destination.
11 Appendix A - Burning the Recovery Environment You can download the Master Installer. Burning the Recovery Environment ISO to CD\DVD The following link contains the process needed to use Microsoft Windows 7, Windows 8, or Windows 10 to create a bootable CD or DVD for the recovery environment. http://windows.microsoft.