Emergency Recovery Information (ERI)
Emergency Recovery Information (ERI)
In a situation in which a hard disk has been fully encrypted using Matrix42 Full Disk Encryption, and a user has forgotten the credentials necessary to access a computer (with or without PBA), the emergency recovery application can be used to gain access to data on the computer.
You may need to use the emergency recovery application if the following occurs:
- The computer does not start correctly.
- The encryption/decryption key (or the password that leads to the encryption/decryption key) has been damaged, forgotten, or lost.
- FDE has been removed without decrypting the hard disk first, or decryption was interrupted due to a power failure.
Solutions
The Matrix42 Full Disk Encryption emergency recovery application is based on Microsoft Windows PE. Both are freely available and reliable tools that enable the administrator to build, and expand a boot CD based on Windows components. Matrix42 Full Disk Encryption has developed plug-ins for both that enable you to start the emergency recovery application from CD.
For details about creating an emergency recovery boot CD or USB flash drive, see Windows 10/11).
Emergency recovery information (ERI)
To perform an emergency recovery, an ERI file is needed for the damaged computer. An ERI file is a password protected file that contains the encryption keys to the encrypted partitions of the hard disk (each partition has its own encryption key). The ERI file can be generated during either the installation or at a later time. The file is the ‘key’ to getting back into your computer should an emergency arise, so a backup copy of the ERI file should be made to a secure location (network directory or external drive) (see Creating an ERI file). The emergency application accesses the ERI file to either decrypt the local partitions or to turn PBA off. To perform emergency recovery, the ERI file must contain the latest encryption details for the damaged computer. Therefore, it is recommended to create a new ERI file every time the encryption settings are changed on the target computer. If a “company key” is used for encryption (a single key used for the encryption of all, or many computers within a company), only one ERI file must be created. This ERI file can be used for emergency recovery on any computer that shares the same encryption key. In the case of individual keys for each computer, an ERI file must be created for each one.
Creating an ERI file
This section details the ERI file creation procedure. To create an ERI file and an ERD, Windows local administrator privileges are required.
Follow the steps below to create an ERI file, and/or to create an ERD:
- Open the Control Center (as described in section 1.5).
- Double-click the Recovery Information icon.
- The Administration password dialog appears.
- Enter the password and click OK.
- An ERI file can be created only if any one of the drives in the system is encrypted. If you try to create an ERI file without encrypting any drive, an error message will appear
- The Save Emergency Recovery Information dialog appears:
- Read the information in the dialog and click Next to continue.
- The ERI Password/File Destination dialog appears.
- This dialog helps you specify the password to protect the ERI file from third parties, as well as the destination directory for the file.
- Enter and confirm a password for recovery information.
- Only the English keyboard layout is supported in the recovery application, that is why please enter the password, which contains no symbols from other languages.
- Enter a full path for the ERI file either directly into the field Path or click “…” to open a file explorer.
- Click Next to continue.
- (optional) If you want to make use of a ‘pattern’ (click Defining an automatic ERI file naming convention to see the description), make sure that the path ends with a simple backslash ( \ ) - the filename will be completed automatically using the pattern defined in the registry entry ERIFilePattern.
- The Cache ERI/Specify User dialog appears. This dialog allows you to specify a user (via their Windows credentials) for storing the ERI file and whether to cache the ERI to the hard disk.
The following options are available:
Option | Details |
---|---|
Cache emergency recovery information on disk |
This option allows you to cache the ERI on the PBA partition in encrypted form. |
Define the user account that will store the Emergency Recovery Information
|
If you check this option, a user account will be assigned to the emergency recovery file copy, as an additional security measure (this only functions if the recovery information copy is saved on a network drive). To be able to create the account, a username, domain and password must already exist to be specified in the fields Username, Domain and Password, respectively. |
- Once you have made your selection click Finish to complete ERI file creation.
- A confirmation dialog appears if the ERI creation is successful:
It is not possible to create an ERI file on a network path with mapped drive path. For example, Y:\ERI (Y mapped to \\FDE001\Product).
Defining an automatic ERI file naming convention
This section is an extension of step 5 – How to define an automatic naming convention for ERI files via the use of ‘patterns’. A ‘pattern’ is a placeholder that can be used as part of the path to keep certain elements of the filename consistent. These placeholders must be ‘delimited’ via the use of angled brackets (< >) and can be of the following type:
- <computername>
- <username>
- <date>
These placeholders already exist as a part of every Windows system. The pattern simply uses this information to name the ERI file. Patterns can be used directly in the Path for ERI file field and in the registry entry for the automatic naming convention. Follow these steps to define an automatic ERI naming convention:
- Open the Windows Registry Editor by either selecting Start > Run and entering regedit into the Open field, or opening the editor directly from the directory: C:\WINDOWS\regedit.exe
- In the Windows Registry Editor, open the entry: HKEY_LOCAL_MACHINE\SOFTWARE\Mobsec_NB\Notebook\General\
- Create a new entry by right-clicking in an open space on the right-hand panel and choose New > String Value from the menu:
- Enter ERIFilePattern as the value name:
- Double-click the new entry.
- This will open a window in which you can enter the naming convention you wish to use for filenames.
- Enter the naming convention (‘pattern’) in the Value data field (see examples on next page). Click OK to close the window and set the value.
- Close registry editor.
Path examples
Here are some examples of paths that either use patterns directly or use automatic naming (the filename will automatically be appended with the extension ‘.eri’ if this was not already included in the path):
Dialog Entry (entered directly in the ‘Path for ERI file’ field) | Registry Entry | Result |
---|---|---|
x:\dir\erifile<date> |
------- |
x:\dir\erifile20050928.eri |
x:\dir\ |
erifile |
x:\dir\erifile.eri |
x:\dir\ |
ERI_<computername>_<username>.eri |
x: |
It is possible that the ERI file will fail to copy to the specified path, for example, if a network drive has been specified but the computer is unable to connect to the network at the time the ERI file is created. In such a scenario, the ERI file will be temporarily stored in the Matrix42 Full Disk Encryption PBA partition until the computer can successfully locate the specified path. Once copied to the specified path, the local copy on the PBA partition is deleted.
If there is an emergency before the ERI file can be successfully copied to the specified path, the local copy of the ERI file will be detected and used by the ERD. For details about performing emergency recovery, see chapter 1.13.
It is recommended to keep copies of all ERI files in a safe place. If an ERI file is damaged or lost, no emergency recovery will be possible!
Creating a WinPE emergency recovery boot CD or USB flash drive
This section details how to create a WinPE (Windows Preinstalled Environment) ERD. This includes how to adapt WinPE to use a plug-in in preparation for recovering/repairing data from a damaged partition.
Create WinPE each time when updating Full Disk Encryption. WinPE created in the latest FDE version is valid for the emergency recovery in previous FDE versions. But: disks encrypted with the latest FDE version can NOT be decrypted with WinPE of lower versions.
SCSI adapters are not supported for creating WinPE, reconnect your device as IDE.
Preparation steps
WinPE is a part of the Windows Assessment and Deployment Kit (ADK). That is why download ADK and install its features.
- Download ADK:
- Windows ADK 10, version 1903 is used for creating WinPE by default (click to start the download of the Windows ADK 10).
- Windows ADK 11 should be used for creating WinPE for recovering Windows 11 systems.
- Windows ADK 8 can be used in certain circumstances for creating WinPE if Windows ADK 10 installation failed (download Windows ADK 8).
- Install the following features, once the ADK is downloaded:
- Deployment Tools: includes the Deployment and Imaging Tools Environment.
- Windows Preinstallation Environment: includes the files used to install Windows PE (only for ADK 8).
- Deployment Tools: includes the Deployment and Imaging Tools Environment.
- Only for Windows ADK 10, version 1903 and higher: install Windows PE add-on for ADK (click to start the download).
Creating a WinPE ERD
- Before starting the procedure, make sure that you have already installed Full Disk Encryption and generated the ERI files necessary for recovery (for details, see Creating an ERI file).
- Run makepe as administrator
- The dialog appears. On the first step, the system detects the WinPE platform type.
- Type Enter.
- In the next step, the path for Windows ADK directory is identified automatically and the following is displayed:
- For Windows ADK 8: c:\Program Files (x86)\ Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools
- For Windows ADK 10 & 11: c:\Program Files (x86)\ Windows Kits\10\Assessment and Deployment Kit\Deployment Tools
- Press Enter.
- At the next 2 steps, the paths for Matrix42 WinPE directory and Matrix42 WinPE ERI directory are detected.
- Enter the number which is referred to media type you want to create (1 for ISO image, 2 for USB flash drive). [1] is used by default.
- Press Enter.
- Creating ISO:
- Type Y to agree.
- Press any key to close the window.
- Creating USB:
- Enter the letter of the drive.
- If your flash drive has the MBR partition layout, just type yes to agree that all data on the USB drive will be lost.
- If your flash drive has the GPT partition layout, type yes to agree that all data on the USB drive will be lost and the drive partition layout will be changed to MBR.
- If your flash drive has a partition layout other than GPT or MBR, the warning message is displayed. Change the partition layout manually and start the procedure again.
- Enter the letter of the drive.
- Type Y to agree.
- Answer Y again to agree with formatting of disk drive.
- Once the process is finished, press any key to close the window.
If your flash drive is more than 2 GB and an error occurs while creating the WinPE, delete all partitions on this flash drive and create one partition for 2 GB. This partition must be formatted with the FAT32 file system.