Configure Recovery Key Escrow

Key escrow is a method of storing important cryptographic keys. By using key escrow, organizations can ensure that in the case of crisis, such as security breach, lost or forgotten keys, natural disaster, or otherwise, their critical keys are safe and can be recovered.

Some of the scenarios where recovery key escrow becomes necessary are as follows:

  • The desk-side support person moving a disk from a broken laptop to a new laptop.

  • A laptop being sent to legal for safe keeping after an employee leaves the company.

  • Laptop recycle.

Recovery Key Escrow Configuration involves the following steps:

  1. Creating certificates – Create a certificate and key pair for encrypting the recovery key through WebUI MDM app. This certificate is used in Windows actions and in macOS escrow payload. The key is placed in BES server plugin folder for decrypting.
  2. Setting up Vault – Specify an existing Vault server (URL, access keys), or you can also deploy Vault with self-signed certificates. You can access the Vault directory to get the unseal keys and access keys that were generated, and configure Vault settings in WebUI.
  3. Setting up Escrow plugin – Trigger the action to deploy the plugin, and then configure with details of the key and Vault details, so that the private key is stored in the 'Applications' directory of the BES server.
  4. Manual device task to escrow recovery key – If recovery key is missing or out of date, you can retrieve it by regenerating it.
  • It involves user interaction to continue with setup, enter password at start up to start encryption process, or to start OS after the forced restart.
  • On macOS, encrypting secondary drives or enforcement of encryption of removable drives is not supported.