While BitLocker is a great way of preventing unauthorized people from accessing your data, it can also prevent your users from accessing it. Should a user lose his or her recovery password, any data that you encrypted with BitLocker will become permanently inaccessible. This article explains some steps you can take to stop that happening.
With BitLocker Drive Encryption, you can completely lockdown your data. When a computer is encrypted with BitLocker, the data on it can only be accessed by a person who knows either the log on password or the recovery password. Great! Your users can now lose as many laptops as they like without you having to worry about a malicious third party accessing their data! But there is also a downside to BitLocker: should a user lose his or her log-on password and recovery password, the data encrypted with BitLocker will become completely and permanently inaccessible. To all intents and purposes, it will be gone for good.
There are, however, some steps you can take that will help ensure that neither you nor your users end up suffering from the BitLocker Blues:
Backup recovery data to Active Directory Domain Services (AD DS). This is the best and easiest way to avoid possible data loss. See Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information for more information. Should backing up to AD DS not be an option, consider doing one or more of the following.
- Ensure that users understand the importance of their recovery passwords and require that they save it to more than one location. For example, you could require that recovery passwords be both saved to a USB drive and printed and that printed copies be held in secure storage within the office.
- Require that users backup any important data to a location off the BitLocker encrypted volume.
Providing users with BitLocker is risky, but it’s certainly not as risky as allowing them to carry unencrypted data out of the office.
One final piece of advice: stress to users that they should never keep the medium on which their recovery password is stored with their computer; it’s akin to leaving the keys in the ignition of an unattended vehicle!