Encryption certificates
To use BitLocker Management to encrypt hard drives, you first need encryption certificates. DriveLock requires these certificates for both encryption and recovery (to provide the recovery key and for a possible emergency logon).
DriveLock automatically adds the encryption certificates to the Windows Certificate Store where it also stores the passwords.
It is absolutely necessary to store the encryption certificates in another secure location in the file system or on a smartcard.
BitLocker encryption certificates consist of two parts, the actual certificate (see figure below DLBiDataRecovery.cer) and the private key (see figure below DLBiDataRecovery.pfx):
The certificate for emergency logon consists of the following parts:
Prevent these certificates from being overwritten, as they are required for the clients' system recovery.
When you create a new policy to use for controlling BitLocker Management (BitLocker policy), always generate new certificates first. Proceed as described in chapter Creating encryption certificates for BitLocker Management.