BitLocker encryption keys

When encrypting the boot volume or other volumes with BitLocker through SafeGuard Enterprise, the encryption keys are always generated by BitLocker. A key is generated by BitLocker for each volume and cannot be reused for any other purpose.

When using BitLocker with SafeGuard Enterprise, a recovery key is stored in the SafeGuard Enterprise Database. This allows for setting up a helpdesk and recovery mechanism similar to the SafeGuard Enterprise Challenge/Response.

However, it is not possible to select keys globally or reuse them as with SafeGuard Enterprise native clients. The keys are not displayed in the SafeGuard Management Center either.

Note: BitLocker also allows you to back up recovery keys to Active Directory. If this is enabled in the group policy objects (GPOs), this is done automatically when a volume is encrypted with BitLocker. If a volume is already encrypted, the administrator can back up the BitLocker recovery keys manually with Windows Manage-BDE tool (see "manage-bde -protectors -adbackup -?").