Categories Reviews

Review: Self-service key recovery solution Specops Key Recovery

Product homepage and free trial offer: click here

Encryption solutions such as BitLocker can go a long way toward making a user’s device more secure. At the same time though, a user who loses their BitLocker key may be locked out of their device. Specops is attempting to solve this problem with Specops Key Recovery. Specops Key Recovery can provide users with self-service key recovery services for both BitLocker and Symantec Endpoint Encryption. For this review, however, I will be focusing solely on BitLocker key recovery.

Installation process

Before I could install Specops Key Recovery, I had to create a customer account. The account creation process was relatively easy, and mostly just involved providing information such as the organization’s name and domain name, as well as the primary contact person’s name and email address. This process also required me to enter a mobile phone number. Upon doing so, Specops sent me a code via text message. This code is then used to complete the account creation process.

The next step is to download the Gatekeeper. As you complete this process, you must also make note of an activation code that you will use later on to activate the Gatekeeper. The actual installation process simply involves installing the administration tools and installing the Gatekeeper. This is an intuitive process that ends with activating the Gatekeeper using the code that you were given when you downloaded the Gatekeeper software. It is worth noting that this code expires 24 hours after it is issued, so you need to download the Gatekeeper at the time when you plan on installing it.

End-user experience

Before I show the administrative side of the Specops Key Recovery interface, I want to take just a moment and tell you about the end-user experience.

When a user has problems with accessing a BitLocker encrypted drive, they are taken to a screen like the one shown in the screenshot below. This interface is provided by Microsoft and allows the user to enter their BitLocker recovery key. Notice, however, that the screen now contains a message telling the user to visit to retrieve their recovery key.

Prompt to enter a recovery key for an encrypted drive

When the user visits the URL listed above, they are prompted to log in using their username. Next, the user is taken to a multifactor authentication screen, similar to the one shown below. There is a lot more going on here than might initially meet the eye. I will talk about this screen in more depth a bit later on.

The user must be authenticated before receiving a recovery key

Once the user has been authenticated, they are prompted to enter the first eight characters of their recovery key ID. The recovery key ID is displayed on the Windows screen that prompts the user to enter their recovery key (it was the very first screen capture shown in this review). Upon entering this information, the Specops Key Recovery software retrieves the user’s recovery key, which you can see below. The user can then enter the recovery key into the Windows key recovery prompt, and regain access to their BitLocker encrypted drive.

Specops Key Recovery retrieves the user’s recovery key

The user enters the recovery key into Windows

Required authentication process

So now that I have shown you what the end-user experience looks like, I want to take a step back and talk about the administrative side of things. For Specops Key Recovery to work, a group policy setting has to be configured to store BitLocker recovery keys in the Active Directory. When a user enters their recovery key ID, Specops Key Recovery uses that recovery key ID to retrieve the recovery key from the Active Directory. Note that recovery keys are heavily locked down as such admins and helpdesk technicians would not have access to the keys in AD.

This raises the question of why anyone would want to invest in a third-party product simply to perform what amounts to an Active Directory query? However, there are two things that Specops Key Recovery has going for it. First, it gives the user the ability to perform self-service key retrieval. The administrator and helpdesk don’t have to get involved in the process. Second, Specops Key Recovery goes to great lengths to keep the recovery keys secure.

BitLocker is used to protect disk’s containing sensitive data, so if someone requests a BitLocker recovery key then you need to make absolutely sure that the person is who they claim to be. This is where Specops Key Recovery really excels.

As I briefly mentioned earlier, Specops Key Recovery makes extensive use of multifactor authentication. The entire process is based around a system of weighted authentication. The idea behind weighted authentication is that some authentication providers are more trustworthy or more secure than others. Requiring a user to enter a code that has been sent to their mobile phone, for example, might be considered to be a more reliable test of the user’s identity than simply requiring the user to enter their Windows password.

Before a user can use Specops Key Recovery, they have to be enrolled in the system. Or users can be pre-enrolled in the system depending on which authentication factors are enabled and if they rely on information stored in the users’ profile. An administrator can select a combination of authentication factors, assign weights to each, while setting a required weight for enrollment, and a required weight for authentication. These weights are expressed through a series of stars, as shown in the figure below.

Enrollment and authentication are both weighted

As you look at the figure above, you will notice that there are a series of identity providers listed, and each one has a weight associated with it (usually either one or two stars) however administrators can configure the star value of authentication weight of each identity service. Based on the enrollment/authentication policy set by the admin, for a user to enroll in Specops Key Recovery, they must provide authentication information for several different identity services. The cumulative total number of stars for the identity services that the user selects must meet or exceed the number of stars that the administrator sets as the required weight for enrollment. As previously mentioned, an administrator can change the required weight for enrollment or authentication, and can also change the weight of any of the identity services.

One more thing that you will probably notice about the screenshot above is that there is a higher weight required for enrollment than for authentication. The reason for this is that it makes it possible for a user to be authenticated, even if there is a problem with one of the identity services that the user used when they enrolled. If a user forgets their secret question or accidentally leaves their mobile device at home, for example, they can still be authenticated by using a combination of other identity services. Specops Key Recovery doesn’t care which identity services a user uses during the authentication process, so long as those identity services collectively meet the required weight for authentication.

The verdict

Whenever I review a product on this site, I like to conclude the review by giving the product a star rating ranging from zero to five stars, with five stars being the highest possible score. With that said, I decided to give Specops Key Recovery a score of 4.5 stars, which is a gold award.

Overall, I think that Specops Key Recovery is a really great product that will go a long way toward helping organizations prevent BitLocker-related data loss. At the same time, though, I ran into a couple of minor issues during the initial deployment process (such as an expired authentication code and a Gatekeeper that at first did not want to connect to the cloud). In the grand scheme of things, however, these issues were very minor and I would not hesitate to recommend Specops Key Recovery for use in any organization that uses BitLocker encryption.

Rating 4.5/5

Brien Posey

Brien Posey is a freelance technology author and speaker with over two decades of IT experience. Prior to going freelance, Brien was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network engineer for the United States Department of Defense at Fort Knox. In addition, Brien has worked as a network administrator for some of the largest insurance companies in America. To date, Brien has received Microsoft’s MVP award numerous times in categories including Windows Server, IIS, Exchange Server, and File Systems / Storage. You can visit Brien’s Website at:

Published by
Brien Posey

Recent Posts

Diebold Nixdorf ATMs targeted by jackpotting attacks

ATM manufacturer Diebold Nixdorf says its European machines are being hit by jackpotting attacks, where…

13 hours ago

Allow a home computer to connect to your Azure SQL server/database

In these days where remote computing has become crucial, you can connect your home computer…

17 hours ago

Migrating to Microsoft 365? Get the ball rolling with a trial tenant

Many companies still using Exchange Server are thinking of moving to Microsoft 365. You can…

20 hours ago

wpDiscuz WordPress plugin: Critical vulnerability found and patched

Users of the wpDiscuz interactive comment WordPress plugin should implement a new patch as soon…

2 days ago

Data lifecycle management: Policies and procedures for security and compliance

With the amount of electronic information consistently growing, data lifecycle management is crucial for compliance…

2 days ago

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

5 days ago