Use SQL Server and MBAM for BitLocker Recovery Passwords

Q: Can we store our BitLocker recovery passwords in a SQL Server database instead of in Active Directory?

A: You can store your Windows BitLocker Drive Encryption recovery passwords in a Microsoft SQL Server database by using the Microsoft BitLocker Administration and Monitoring (MBAM) tool. MBAM consists of client-side and server-side components and is bundled with the Microsoft Desktop Optimization Pack (MDOP). To use MBAM, your clients must run Windows 7 Enterprise or Ultimate or Windows 8. The server component requires at least a Windows Server 2008 SP2 or Windows Server 2008 R2 operating system and a SQL Server 2008 R2 instance.

Related: Retrieve BitLocker Recovery Passwords from Active Directory

MBAM stores BitLocker recovery data in its own encrypted SQL Server database. This method provides better security than storing the BitLocker recovery passwords in Active Directory (AD) because, in AD, all administrators can access the recovery data, indirectly or directly. Also in AD, the recovery data is stored in clear text.

MBAM uses a web-based administration interface. You can access the MBAM password recovery page by navigating to the default MBAM administration and monitoring page. Then, in the left navigation panel, select Drive Recovery, as Figure 2 illustrates.

Figure 2: Using the Microsoft BitLocker Administration and Monitoring (MBAM) tool to recover a password

You must then enter the AD user ID and domain, a reason why the user is asking for the recovery password, and the first eight characters of the recovery password ID. The latter is displayed after the user or help desk operator reboots the client machine in recovery mode. When you click Submit, MBAM retrieves the recovery password from its recovery database. The administrator or help desk operator can then pass the password to the user, who can enter it on the client to unlock the computer's drive.

An important security detail is that MBAM provides one-time-use recovery passwords. MBAM automatically resets the recovery password for the disk so that the old password cannot be used again. This feature can prevent unauthorized users from gaining access to a BitLocker-protected hard disk if they get access to a previously used recovery key.

In the latest MBAM version -- version 2.0, which was released in late 2012 -- Microsoft also includes a user self-service portal that users can leverage to recover the BitLocker recovery password by themselves -- that is, without calling the help desk. This feature can further reduce the number of BitLocker-related support calls and associated support costs.

Learn More: BitLocker Changes in Windows 8