How to export recovery keys of all the computer drives in sophos bitlocker encryption console
This thread was automatically locked due to age.
How to export recovery keys of all the computer drives in sophos bitlocker encryption console
Export of all Bitlocker recovery keys can be done by a script using the API. Below you find the VBScript code that I used to export all keys.
The script is designed to run directly on the management server. First you have to change the destination folder (see bekDestinationDirectoryRoot) where you want to store the keys.
The script creates a folder for each computer and stores either the BEK file (Bitlocker Challenge/Response) or the plain text recovery password in a text file.
Regards,
Holger
Option Explicit
Dim scripting
Dim scriptingCR
Dim ScriptingDirectory
Dim ScriptingInventory
Dim result
Dim ret
Dim errorText
Dim Computername
Dim adsMachine
Dim otype
Dim objArgs
Dim FSO
dim email
dim yn
Dim objMessage
Dim objWshShell
Dim StrCommand
Dim StrUser
Dim strEvent
Dim hitCount
Dim idx
Dim hitCountDrives
Dim idxDrive
Dim softwareId
Dim propertyValue
Dim propertyString
Dim DriveId
Dim response
Dim RecoveryPassword
Dim POAType
Dim MachineName
Dim DriveName
Dim EncryptionState
Dim objKeyFile
Dim strPath
Dim KeyFileName
Dim objLogFile
Dim Counter
Const ForWriting = 2
Set FSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")
Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\"
Dim bekDestinationFileName
Dim bekDestinationDirectory
If strPath = "" Then
strPath = Wscript.ScriptFullName
strPath = Mid(strPath,1,InstrRev(strPath,".")-1)
End If
Set objLogFile = FSO.OpenTextFile(strPath & ".log", 8,True)
Sub WriteError (Text)
objLogFile.WriteLine now() & " : " & Text & " - Exiting!"
objLogFile.Close
Wscript.Quit
End Sub
Sub WriteInfo (Text)
objLogFile.WriteLine now() & " : " & Text
End Sub
Set Scripting = wscript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base")
Set ScriptingCR = Scripting.CreateCRClassInstance()
Set ScriptingDirectory = Scripting.CreateDirectoryClassInstance()
Set ScriptingInventory = Scripting.CreateInventoryClassInstance()
result = scripting.Initialize()
WriteInfo "Scripting.Initialize result: " & result
result = scripting.AuthenticateService()
WriteInfo "Scripting.AuthenticateService() result: " & result
result = scriptingCR.Initialize()
WriteInfo "ScriptingCR.Initialize result: " & result
result = scriptingDirectory.Initialize()
WriteInfo "ScriptingDirectory.Initialize result: " & result
result = ScriptingInventory.Initialize()
WriteInfo "ScriptingInventory.Initialize result: " & result
result = ScriptingDirectory.GetObjectInitialize("*","",1,hitcount)
WriteInfo "ScriptingDirectory.GetObjectInitialize result: " & result
WriteInfo "ScriptingDirectory.GetObjectInitialize hitCount: " & hitCount
If result=0 and hitCount>0 Then
For counter=0 to hitCount-1
result = ScriptingDirectory.GetObjectByIndex(counter, adsMachine,otype)
WriteInfo "ScriptingDirectory.GetObjectByIndex result: " & result
If result = 0 Then
WriteInfo "****************************************************************"
result = ScriptingInventory.GetComputerInventory(adsMachine, "MachineName", propertyValue, propertyString)
MachineName = propertyString
WriteInfo "MachineName: " & MachineName
result = ScriptingInventory.GetComputerInventory(adsMachine, "POAType", propertyValue, propertyString)
POAType = propertyValue
WriteInfo "POAType: " & POAType
If POAType = "2" Then
result = ScriptingInventory.GetDriveInventoryIdInitialize(adsMachine,hitCountDrives)
WriteInfo "ScriptingInventory.GetDriveInventoryIdInitialize result: " & result
idxDrive=0
Do While idxDrive < hitCountDrives
result = ScriptingInventory.GetDriveInventoryIdByIndex(idxDrive,driveId)
result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "DriveName", propertyValue, propertyString)
DriveName = propertyString
WriteInfo "DriveName: " & DriveName
result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "State", propertyValue, propertyString)
EncryptionState = propertyValue
WriteInfo "EncryptionState: " & EncryptionState
If EncryptionState = "2" Then
bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
FSO.CreateFolder(bekDestinationDirectory)
End If
result=ScriptingCR.BitLockerRecovery(adsMachine, DriveName, response)
WriteInfo "ScriptingCR.BitLockerRecovery result: " & result
if Len(response) = 48 Then
KeyFileName = bekDestinationDirectory & "Drive_" & DriveName & ".txt"
WriteInfo "Writing recovery password to file: " & KeyFileName
RecoveryPassword = Mid(response,1,6) & " " & Mid(response,6,6) & " " & Mid(response,12,6) & " " & Mid(response,18,6) & " " & Mid(response,24,6) & " " & Mid(response,30,6) & " " & Mid(response,36,6) & " " & Mid(response,42,6)
WriteInfo "Recovery Password :" & RecoveryPassword
Set objKeyFile = FSO.OpenTextFile(KeyFileName, ForWriting, True, 0 )
objKeyFile.WriteLine(RecoveryPassword)
objKeyFile.Close
Set objKeyFile = Nothing
Else
WriteInfo "ERROR: Invalid Recovery Password" & response
End If
End if
idxDrive=idxDrive+1
Loop
result = ScriptingInventory.GetDriveInventoryIdFinalize()
ElseIf POAType = "5" Then
bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
FSO.CreateFolder(bekDestinationDirectory)
End If
result = ScriptingCR.ExportBitLockerRecoveryKey(adsMachine, bekDestinationDirectory, bekDestinationFileName)
If result = 0 Then
WriteInfo "Key file succesfully written to file :" & bekDestinationFileName
Else
WriteInfo "ERROR: Failed to export key file with error code: " & result
End If
End If
End If
Next
End If
result = ScriptingDirectory.GetObjectFinalize()
'Final
result = ScriptingInventory.FreeResources()
result = ScriptingDirectory.FreeResources()
result = ScriptingCR.FreeResources()
result = Scripting.FreeResources()
objLogFile.Close
Wscript.Quit
Export of all Bitlocker recovery keys can be done by a script using the API. Below you find the VBScript code that I used to export all keys.
The script is designed to run directly on the management server. First you have to change the destination folder (see bekDestinationDirectoryRoot) where you want to store the keys.
The script creates a folder for each computer and stores either the BEK file (Bitlocker Challenge/Response) or the plain text recovery password in a text file.
Regards,
Holger
Option Explicit
Dim scripting
Dim scriptingCR
Dim ScriptingDirectory
Dim ScriptingInventory
Dim result
Dim ret
Dim errorText
Dim Computername
Dim adsMachine
Dim otype
Dim objArgs
Dim FSO
dim email
dim yn
Dim objMessage
Dim objWshShell
Dim StrCommand
Dim StrUser
Dim strEvent
Dim hitCount
Dim idx
Dim hitCountDrives
Dim idxDrive
Dim softwareId
Dim propertyValue
Dim propertyString
Dim DriveId
Dim response
Dim RecoveryPassword
Dim POAType
Dim MachineName
Dim DriveName
Dim EncryptionState
Dim objKeyFile
Dim strPath
Dim KeyFileName
Dim objLogFile
Dim Counter
Const ForWriting = 2
Set FSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")
Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\"
Dim bekDestinationFileName
Dim bekDestinationDirectory
If strPath = "" Then
strPath = Wscript.ScriptFullName
strPath = Mid(strPath,1,InstrRev(strPath,".")-1)
End If
Set objLogFile = FSO.OpenTextFile(strPath & ".log", 8,True)
Sub WriteError (Text)
objLogFile.WriteLine now() & " : " & Text & " - Exiting!"
objLogFile.Close
Wscript.Quit
End Sub
Sub WriteInfo (Text)
objLogFile.WriteLine now() & " : " & Text
End Sub
Set Scripting = wscript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base")
Set ScriptingCR = Scripting.CreateCRClassInstance()
Set ScriptingDirectory = Scripting.CreateDirectoryClassInstance()
Set ScriptingInventory = Scripting.CreateInventoryClassInstance()
result = scripting.Initialize()
WriteInfo "Scripting.Initialize result: " & result
result = scripting.AuthenticateService()
WriteInfo "Scripting.AuthenticateService() result: " & result
result = scriptingCR.Initialize()
WriteInfo "ScriptingCR.Initialize result: " & result
result = scriptingDirectory.Initialize()
WriteInfo "ScriptingDirectory.Initialize result: " & result
result = ScriptingInventory.Initialize()
WriteInfo "ScriptingInventory.Initialize result: " & result
result = ScriptingDirectory.GetObjectInitialize("*","",1,hitcount)
WriteInfo "ScriptingDirectory.GetObjectInitialize result: " & result
WriteInfo "ScriptingDirectory.GetObjectInitialize hitCount: " & hitCount
If result=0 and hitCount>0 Then
For counter=0 to hitCount-1
result = ScriptingDirectory.GetObjectByIndex(counter, adsMachine,otype)
WriteInfo "ScriptingDirectory.GetObjectByIndex result: " & result
If result = 0 Then
WriteInfo "****************************************************************"
result = ScriptingInventory.GetComputerInventory(adsMachine, "MachineName", propertyValue, propertyString)
MachineName = propertyString
WriteInfo "MachineName: " & MachineName
result = ScriptingInventory.GetComputerInventory(adsMachine, "POAType", propertyValue, propertyString)
POAType = propertyValue
WriteInfo "POAType: " & POAType
If POAType = "2" Then
result = ScriptingInventory.GetDriveInventoryIdInitialize(adsMachine,hitCountDrives)
WriteInfo "ScriptingInventory.GetDriveInventoryIdInitialize result: " & result
idxDrive=0
Do While idxDrive < hitCountDrives
result = ScriptingInventory.GetDriveInventoryIdByIndex(idxDrive,driveId)
result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "DriveName", propertyValue, propertyString)
DriveName = propertyString
WriteInfo "DriveName: " & DriveName
result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "State", propertyValue, propertyString)
EncryptionState = propertyValue
WriteInfo "EncryptionState: " & EncryptionState
If EncryptionState = "2" Then
bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
FSO.CreateFolder(bekDestinationDirectory)
End If
result=ScriptingCR.BitLockerRecovery(adsMachine, DriveName, response)
WriteInfo "ScriptingCR.BitLockerRecovery result: " & result
if Len(response) = 48 Then
KeyFileName = bekDestinationDirectory & "Drive_" & DriveName & ".txt"
WriteInfo "Writing recovery password to file: " & KeyFileName
RecoveryPassword = Mid(response,1,6) & " " & Mid(response,6,6) & " " & Mid(response,12,6) & " " & Mid(response,18,6) & " " & Mid(response,24,6) & " " & Mid(response,30,6) & " " & Mid(response,36,6) & " " & Mid(response,42,6)
WriteInfo "Recovery Password :" & RecoveryPassword
Set objKeyFile = FSO.OpenTextFile(KeyFileName, ForWriting, True, 0 )
objKeyFile.WriteLine(RecoveryPassword)
objKeyFile.Close
Set objKeyFile = Nothing
Else
WriteInfo "ERROR: Invalid Recovery Password" & response
End If
End if
idxDrive=idxDrive+1
Loop
result = ScriptingInventory.GetDriveInventoryIdFinalize()
ElseIf POAType = "5" Then
bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
FSO.CreateFolder(bekDestinationDirectory)
End If
result = ScriptingCR.ExportBitLockerRecoveryKey(adsMachine, bekDestinationDirectory, bekDestinationFileName)
If result = 0 Then
WriteInfo "Key file succesfully written to file :" & bekDestinationFileName
Else
WriteInfo "ERROR: Failed to export key file with error code: " & result
End If
End If
End If
Next
End If
result = ScriptingDirectory.GetObjectFinalize()
'Final
result = ScriptingInventory.FreeResources()
result = ScriptingDirectory.FreeResources()
result = ScriptingCR.FreeResources()
result = Scripting.FreeResources()
objLogFile.Close
Wscript.Quit
Thank you for the script. I cant get it to run however, I get an error calling out line 71 "could not create object named, Utimaco.SafeGuard.AdministrationConsole.Scripting.Base". Prior to running this script must anything else be set on the server?
