Setup Recovery Key Escrow Plugin

Before you begin

Ensure the BES Server Plugin Service is already installed.

About this task

To install the Encryption plugin on the BES server, complete the following steps.


  1. From the WebUI main page, click Apps > MCM.
  2. On the Modern Client Management page, click Admin.
  3. From the following screen select Recovery Key Escrow > Setup Recovery Key Escrow Plugin.
  4. Enter Vault URL, Vault Username and Vault Password that has write access to the 'bigfix' Secret Engineas set up previously.
  5. Click Deploy.

What to do next

By default, the Recovery Key Escrow Plugin tries to talk with Vault ( as it’s secure secrets repository. Vault must be configured separately for Recovery Keys storage and retrieval to work properly. For more information, see Set up Vault.
Once configured, users that have specific access to Vault directly can obtain recovery keys for all keys that have been escrowed properly.
Note: User access to Vault is separate from BigFix users and operators and needs to be configured separately.

To learn how to create a full disk encryption policy, see Disk Encryption Policy.