Skip to content

Encryption Recovery Key Search

You can find encryption recovery keys.

You can get a device encryption recovery key by entering a volume or recovery identifier.

Retrieve recovery key (Windows computers)

If users are unable to log in to their encrypted computer, you can get a recovery key which is used to unlock the computer. There is a recovery key for each volume of a BitLocker protected computer. It is created and backed up in Sophos Central before the computer is encrypted.

Note

When Sophos Central Device Encryption is installed, existing BitLocker recovery keys are replaced automatically and can no longer be used.

Note

Even if a policy has been disabled and the computer's Device Encryption status is shown as Unmanaged, you can get a recovery key if one is available.

To get the recovery key, do as follows:

  1. Go to Devices > Computers.
  2. Select the computer you want to recover, and click More > Retrieve Recovery Key.

If you can't find the computer in the list, you need the recovery key identifier or the volume identifier and use it in the recovery wizard, as follows:

  1. Tell the user to restart the computer and press the Esc key in the BitLocker logon screen.
  2. Ask the user to provide you with the information displayed in the BitLocker recovery screen.
  3. In Sophos Central, go to Computers and click More > Retrieve Recovery Key.
  4. Enter at least five characters of the recovery key identifier or the volume identifier provided by the user.
  5. Click Show Key to display the recovery key.

    Note

    If you enter a volume identifier, Sophos Central displays all available recovery keys for this volume. The latest recovery key is the top one.

  6. Make sure that the user is authorized to access the encrypted device before you provide the recovery key.

    Note

    As soon as a recovery key is displayed to you as administrator, it is marked as used and will be replaced at the next synchronization.

  7. Give the recovery key to the user.

The user can now unlock the computer. Users of computers running Windows 8 or later are prompted to create a new PIN or password. Instructions for creating the PIN or password are displayed automatically.

After the computer has been recovered, a new recovery key will be created and backed up in Sophos Central. The old one will be deleted from the computer.

Retrieve recovery key (Macs)

If users forget their login password, you can get a recovery key which is used to unlock the computer.

To get the recovery key, do as follows:

  1. Go to Devices > Computers.
  2. Select the computer you want to recover, and click More > Retrieve Recovery Key.

If you can't find the computer in the list, you need the recovery key identifier or the volume identifier and use it in the recovery wizard, as follows:

  1. Tell the user to switch on their computer and wait until the Recovery Key ID is displayed.

    Note

    The recovery key ID is displayed for a short time. To display it again, users must restart their computer.

  2. Ask the user to tell you the Recovery Key ID.

  3. In Sophos Central, go to Computers and click More > Retrieve Recovery Key.
  4. Enter at least five characters of the recovery key identifier.
  5. Click Show Key to display the recovery key.
  6. Make sure that the user is authorized to access the encrypted device before you provide the recovery key.
  7. Give the recovery key to the user.

    • For users imported from Active Directory, continue to step 8.
    • For all other users, go straight to step 10.
  8. Reset the existing password in Active Directory. Then generate a preliminary password and give it to the user.

  9. Tell the user to click Cancel in the Reset Password dialog and enter the preliminary password instead.
  10. Tell the user to do as follows:

    • Create a new password.
    • Click Create New Keychain if prompted.

The user can access the computer again.