Paper print in a safe is what’s usual done.
Comment on An angry admin shares the CrowdStrike outage experience
JasonDJ@lemmy.zip 1 month agoI get storing bitlocker keys in AD, but as a net admin and not a server admin…what do you do with the DCs keys? USB storage in a sealed envelope in a safe (or at worst, locked file cabinet drawer in the IT managers office)?
Or do people forego running bitlocker on servers since encrypting data-at-rest can be compensated by physical security in the data center?
Tankton@lemm.ee 1 month ago
modeler@lemmy.world 1 month ago
You need at least two copies in two different places - places that will not burn down/explode/flood/collapse/be locked down by the police at the same time.
An enterprise is going to be commissioning new computers or reformatting existing ones at least once per day. This means the bitlocker key list would need printouts at least every day in two places.
Given the above, it’s easy to see that this process will fail from time to time, in ways like accicentally leaking a document with all these keys.
JasonDJ@lemmy.zip 1 month ago
I think the idea is to store most of the keys in AD. Then you just have to worry about restoring your DCs.
modeler@lemmy.world 1 month ago
I think that’s a better plan than physically printing keys. I’d also want to save the keys in another format somewhere - perhaps using a small script to export them into a safe store in the cloud or a box I control somewhere
catloaf@lemm.ee 1 month ago
When I set it up at one company, the recovery keys were printed out and kept separately.
nobleshift@lemmy.world 1 month ago
Paper never goes out of style …