Disclaimer: this may not be an exaustive description of the solution and is intended to be used as a guideline. All information is available in the product documentation, including the Administrator's guide.
There are usually three important aspects for the recovery of encrypted data:
Data and Key backups
This point is simply the basilar of IT best practices - Backups are your friends, but only if tested!!!
Additional note: much of the time data backups can be kept stored in safe locations in clear, i.e. not encrypted.
Among others, you should keep up-to-date and good backups of:
- Symantec Encryption Management Server backups (stored outside of the server)
- Virtual Disk images you may have
- Organization Key (full keypair) and its correspondent passphrase - this is probably the most critical key in the encryption environment (Used to sign all user keys the Symantec Encryption Management Server creates and, to encrypt server backups!)
- Symantec Encryption Desktop keyrings (including private ones), especially if using standalone installations and/or Client Key Mode (CKM) and Server-Client Key Mode (SCKM)
- Ignition Keys (you don't really backup those, but you need the credentials, so have them safe) - most environments don't really require this one. This is only needed when there is a risk of an unauthorized person gaining physical control of the server hardware. If used, the server will be kept locked until unlocked using the proper method.
There are two types of Ignition Keys:
- Hardware Token: You need to have the PKCS#11 token and its respective PIN
- Soft-Ignition Passphrase: You need to know the passphrase you have specified.
Key recovery (and ADK)
How to recover a lost key or decrypt data with an alternative key? Key Reconstruction - Enabling key reconstruction ensures that users can reconstruct their PGP keys.
Key reconstruction is useful if the user loses their key material, or forgets their key passphrase. Key reconstruction is not suitable for enterprise data recovery, since only the user knows the answers to the reconstruction questions.
Additional Decryption Key (ADK) - The ADK is only available in Symantec Encryption Management Server environments. An ADK can be used to decrypt encrypted data and messages if an end user is unable or unwilling to do so. For different purposes two types of ADK can be defined in a managed environment:
- Policy ADK - this can be defined per consumer policy
- Organization ADK - this will be applied to every user in the environment
For standalone instalation you can use the Master Key in a similar way of an ADK, however, this would imply a trust with the users (that they won't remove that key) and the value of this would be only for recovery of encrypted data when the user key is lost.
Which are the recovery options configurable for Disk Encryption in Symantec Encryption Management Server?
There are some ways to to ensure access to encrypted disks. Note that, if none of the options above was enabled *before* losing access to the disk, it will not be possible to access to the content because the records cannot be modified after losing access to the disk.
The options can be configured in the consumer policy:
Consumers > Consumer Policy > select the policy > in the section Symantec Encryption Desktop click the Desktop (button) > Drive Encryption (tab).
Under Symantec Drive Encryption there are some options which should be enabled and must be defined according company policy/local regulations.
- Enable Whole Disk Recovery Tokens - this will send a one-time token to the management server and can be used to regain access to the encrypted disk. Once used a new token will be automatically sent to the server.
- Encrypt Windows Drive Encryption disks and PGP Virtual Disks to a Disk Administrator Key. Attention!: Use the Symantec Drive Encryption administrator key to log in to a user's system at the Symantec Drive Encryption BootGuard screen using two-factor authentication (with a smart card or token). Before deployment check for token support.
- Encrypt Drive Encryption disks to a Disk Administrator Passphrase - this adds a permanent passphrase to the disk which can be used by administrators. This passphrase should be kept private.
- Use the WDE-ADMIN Active Directory group membership - Any member of the WDE-ADMIN Active Directory group can remotely access a system to add or remove users from Symantec Drive Encryption, encrypt or decrypt a drive, and so on, using the Symantec Drive Encryption command-line tool. These administrative functions can be performed without having to request the user's passphrase.
- Local Self Recovery Security Questions - also useful for standalone installations. Note: The Security Questions for Local Self Recovery cannot be created until the until the disk is fully encrypted.
Some companies/regulations have strict policies for the usage of these bypass mechanism and they should be documented in an internal "paper" policy.
For the ADK is also possible to use key splitting for obliging the presence of multiple stakeholders for unlocking access to encrypted data.
Last but not the least, deploying system images with Symantec Encryption Desktop pre-installed is not supported*. This may cause that some or more of the options above will not be available, potentially leading to data loss due to no recovery option.
*Edited: This statement is no longer valid with the latest release of Symantec Encryption Desktop 10.3.2.
See Symantec Encryption Management Server 3.3.2 Release Notes - DOC7056.
"Creating System Images with Symantec Encryption Desktop
This release supports the creation of a system image (also known as a golden image, master image, or base image) with Symantec Encryption Desktop..."
And Create System Images with Symantec Encryption Desktop 10.3.2 - TECH214364.
Each environment has its own specificities, thus testing is also part of IT best practices and whenever possible should be done in test machines.