Configure encrypted drive recovery

In order to use the offline password recovery functionality, you have to generate a master certificate consisting of a public and private key pair before creating the first encrypted directory. For this purpose, it is also possible to create multiple certificates, which can be filtered via Computer / Networks / Logged on users. This is useful if the group of users who are allowed to perform recovery of encrypted data differs. However, at least the default recovery certificate with the lowest priority should be generated.

Example: Especially in large environments, it may be preferred to create a default certificate that is used for all. Only the management board has its own recovery certificate. The standard certificate is given to the IT helpdesk so that the password of encrypted directories can be reset for all employees except the management board. Only the IT Security Manager and the IT Enterprise Administrator receive the recovery certificate from the Management Board so that recovery is also possible here. This measure further restricted the group of people who potentially have access to confidential data (those on the Management Board).

To configure the settings for restoring encrypted drives, open the Encrypted folder recovery sub-node in the File Protection node.

When restoring encrypted directories, the appropriate recovery certificate must then be selected if certificates with multiple priorities have been created.

By default, there is initially one certificate entry which is used for all encrypted directories (if configured). This certificate has the Lowest priority and cannot be deleted.

To create a default recovery certificate, perform the following steps:

  • Double-click Certificate-based recovery (Lowest priority) .

  • Click Certificate File and select Create New from the drop-down menu. This will start the wizard for generating the main certificate.

  • Next, either specify the folder where you want to save the certificate file or, alternatively, choose a smart card as the location.

  • If you are using a smart card for storage, you will now be asked to insert and select the card, depending on the card you are using.

Make sure that this file is saved in a safe place, as it is urgently needed for password recovery.

  • Now enter the password for accessing the private key area of the certificate. You must enter the password twice for security reasons.

  • To continue, click Next. It takes a few seconds to generate the main certificate. You will then be notified when the process is complete and the file has been saved to the previously specified location.

Make sure you do not forget this password. You should likewise store this in another safe place ( for example, in a safe).

  • If a smartcard is used for storage, you will be prompted to enter the PIN for accessing the smartcard.

  • Click Finish.

The certificate file you just created is now displayed.

Once the certificate has been created and the first encrypted container has been generated, no new certificate may be created, as this will overwrite the old one and thus it can no longer be used for recovery.

If you click Properties, you will get additional information about the main certificate.

The certificate is also stored in the private certificate store of the current user. The public key of the certificate is also stored inside the local policy file store.

If you cancelled the creation wizard or there was a problem during the creation, DriveLock will display the corresponding message and you will have to create the main certificate again.

If you have used encrypted directories without a root certificate before, it is useful to enable the Add recovery information to existing folders option. In this case, each time a directory is connected, DriveLock checks whether recovery information already exists and generates this information if necessary. Subsequently, the data required for recovery is also transferred to the DriveLock Enterprise Service.

If DriveLock Enterprise Service is not used in your environment or you do not want the recovery data to be transferred to DriveLock Enterprise Service, you can disable this feature by enabling the No offline recovery - do not upload recovery information to DES option.

Right-click Encrypted Folder recovery and select New -> Encryption recovery rule from the context menu to create another certificate.

At the beginning there is no certificate file specified here. Click Certificate File and select Create New from the drop-down menu.

This will start the main certificate generation wizard again. Now the procedure is the same as when generating the certificate for the lowest priority.

Via Settings on the tabs Computer, Networks and Logged on users you can now specify for which of the areas with the same name this certificate should be used. The functionality is the same as in many other places in DriveLock and is therefore not described in detail here.

The new certificate is then displayed in the detail view on the right.

The first additional certificate is assigned priority 1, and each additional certificate is assigned a priority that is one higher than the highest existing priority.

Right-click an entry and select Down or Up to adjust the order of prioritization. Via Delete you can delete an existing certificate.

If you delete a certificate that has already been used, it is no longer possible to restore it.