this post was submitted on 19 Jul 2024
632 points (98.5% liked)
Technology
59534 readers
3195 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Paper print in a safe is what's usual done.
You need at least two copies in two different places - places that will not burn down/explode/flood/collapse/be locked down by the police at the same time.
An enterprise is going to be commissioning new computers or reformatting existing ones at least once per day. This means the bitlocker key list would need printouts at least every day in two places.
Given the above, it's easy to see that this process will fail from time to time, in ways like accicentally leaking a document with all these keys.
I think the idea is to store most of the keys in AD. Then you just have to worry about restoring your DCs.
I think that's a better plan than physically printing keys. I'd also want to save the keys in another format somewhere - perhaps using a small script to export them into a safe store in the cloud or a box I control somewhere