BitLocker encryption keys

When encrypting the boot volume or other volumes with BitLocker through SafeGuard Enterprise, the encryption keys are always generated by BitLocker. A key is generated by BitLocker for each volume and cannot be reused for any other purpose.

When using BitLocker with SafeGuard Enterprise, a recovery key is stored in the SafeGuard Enterprise Database. This allows for setting up a helpdesk and recovery mechanism similar to the SafeGuard Enterprise Challenge/Response.

However, it is not possible to select keys globally or reuse them as with SafeGuard Enterprise native clients. The keys are not displayed in the SafeGuard Management Center either.

Note BitLocker also allows you to back up recovery keys to Active Directory. If this is enabled in the group policy objects (GPOs), this is done automatically when a volume is encrypted with BitLocker. If a volume is already encrypted, the administrator can back up the BitLocker recovery keys manually with Windows Manage-BDE tool (see "manage-bde -protectors -adbackup -?").