Add Key Protector Tool

This forum contains the documentation for the Bitlocker for Automate plugin
Post Reply
User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Add Key Protector Tool

Post by Cubert »

The Key Protector tool allows you to add new Key Protectors to a volume.

AddProtector.PNG
AddProtector.PNG (30.57 KiB) Viewed 2289 times

Select 1 of 9 different types of Key Protectors. Some types require some user data where others may not require any data at all. As you select a key protector the data it requires will be requested.

Some agents may not be able to support some protectors. An example of this is a VMWare agent trying to use TPM as a key protector. Since the agent does not have TPM available the protector will not be added.

When using passwords and pin codes with the plugin it stores this data in Automate for you. Typically passwords and pin codes are not stored and retrievable by BitLocker. However the plugin will store this in the automate database for your needs.

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Add Key Protector Tool

Post by Cubert »

From the Microsoft Docs on Key protectors..

When a user accesses a drive protected by BitLocker, such as when starting a computer, BitLocker requests the relevant key protector. For example, the user can enter a PIN or provide a USB drive that contains a key. BitLocker retrieves the encryption key and uses it to read data from the drive.

You can use one of the following methods or combinations of methods for a key protector:

  • Trusted Platform Module (TPM). BitLocker uses the computer's TPM to protect the encryption key. If you specify this protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM and the system boot integrity is intact. In general, TPM-based protectors can only be associated to an operating system volume.
  • TPM and Personal Identification Number (PIN). BitLocker uses a combination of the TPM and a user-supplied PIN. A PIN is four to twenty digits or, if you allow enhanced PINs, four to twenty letters, symbols, spaces, or numbers.
  • TPM, PIN, and startup key. BitLocker uses a combination of the TPM, a user-supplied PIN, and input from of a USB memory device that contains an external key.
  • TPM and startup key. BitLocker uses a combination of the TPM and input from of a USB memory device.
  • Startup key. BitLocker uses input from of a USB memory device that contains the external key.
  • Password. BitLocker uses a password.
  • Recovery key. BitLocker uses a recovery key stored as a specified file in a USB memory device.
  • Recovery password. BitLocker uses a recovery password.
  • Active Directory Domain Services (AD DS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector.
    You can add only one of these methods or combinations at a time, but you can run this cmdlet more than once on a volume.

Adding a key protector is a single operation; for example, adding a startup key protector to a volume that uses the TPM and PIN combination as a key protector results in two key protectors, not a single key protector that uses TPM, PIN, and startup key. Instead, add a protector that uses TPM, PIN, and startup key and then remove the TPM and PIN protector.

Post Reply

Return to “BitLocker Documentation Project”