Dell LSA Recovery Guide for Dell Encryption Enterprise and Dell Encryption Personal

Summary: Learn how to use the Dell LSA recovery bundle to regain access to Dell Encryption Enterprise or Dell Encryption Personal data. Follow this step-by-step guide.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

The local security administrator (LSA) recovery bundle is used to regain access to Dell Encryption Enterprise (formerly Dell Data Protection | Enterprise Edition) or Dell Encryption Personal (formerly Dell Data Protection | Personal Edition) data. This article covers how to run the LSA recovery bundle.

Affected Products:

  • Dell Encryption Enterprise
  • Dell Data Protection | Enterprise Edition
  • Dell Data Protection | Server Edition
  • Dell Encryption Personal
  • Dell Data Protection | Personal Edition

Affected Operating Systems:

  • Windows

Cause

Not applicable

Resolution

The LSA recovery bundle can be used for Recovery. It also contains command-line interface (CLI) options. For more information, click the appropriate option.

Note: The LSA recovery bundle must be downloaded before following the Recovery or CLI process. For more information, reference How to Download the Dell Encryption Enterprise / Dell Encryption Personal Recovery Bundle.

Recovery

The LSA recovery bundle may be run differently whether the endpoint is Online or Offline. Click the appropriate method for more information.

Online

This process addresses situations where the user has access to the operating system but has either lost all access to encrypted data or must move the hard drive from one chassis to another. In this case, the LSA recovery bundle that is downloaded from the administration console can be copied to the computer and run locally.

  1. From the machine that requires recovery, double-click the LSA Recovery Bundle.

LSA recovery bundle

  1. Select My system does not allow me to access encrypted data, edit policies, or is being reinstalled and then click Next.

Problem description

  1. Copy the Backup and Recovery Information and then click Next.

Backup and Recovery Information

  1. Select the volume to recover and then click Next.

Select volume

  1. Populate the Password that was assigned when downloading the LSA recovery bundle from the administration console, and then click Next.

Password

  1. Click Recover to perform the recovery. The utility extracts the keys to the computer.

Recover

  1. Confirm that the operation was successful and then click Finish.

Finish

  1. If moving the hard drive to another chassis, it is required that you shut down the machine instead of rebooting. When prompted to restart, click No and then shut down from the Windows Start Menu. Otherwise, click Yes.

Reboot prompt

Note: If moving the hard drive to another chassis and Yes was selected, the recovery process must be repeated.

Offline

If the user no longer has access to the operating system and the machine is locked in SDE Recovery Mode, an offline recovery must be performed.

The LSA recovery bundle may run by an Automatic or Manual method. The automatic method is recommended for versions 10.2.10 and later. The manual method works for all versions. Click the appropriate method for more information.

Automatic
  1. Create a bootable WinPE USB.
Note: For more information, reference How to Create a Bootable WinPE USB for Dell Encryption Enterprise / Dell Encryption Personal.
  1. Copy the LSA recovery bundle to the WinPE USB.
Note: The name of the LSA recovery bundle will differ in your environment.
  1. Boot to that media on the device with the drive you are attempting to recover. A WinPE environment opens.
  2. Type X and then press Enter to reach Command Prompt.

Command Prompt

  1. Browse to and then run the LSA recovery bundle.

LSA recovery bundle

  1. Select My system fails to boot and displays a message asking me to perform SDE Recovery and then click Next.

Problem description

  1. Confirm the Backup and Recovery Information and then click Next.

Backup and Recovery Information

  1. Select the volume to recover and then click Next.

Select volume

  1. Populate the Password that was assigned when downloading the LSA recovery bundle from the administration console, and then click Next.

Password

  1. Click Recover. The utility extracts the keys to the computer.

Recover

  1. Confirm that the operation was successful and then click Finish.

Finish

  1. Remove the WinPE boot media and reboot the endpoint. If Windows does not boot, contact Dell Data Security ProSupport.

Reboot prompt

Note: For more information, reference Dell Data Security International Support Phone Numbers.
Manual
  1. Right-click the LSA recovery bundle and then select Run as administrator.

LSA recovery bundle

Note: The name of the LSA recovery bundle will differ in your environment.
  1. If Windows Defender is enabled, select More Info and then click Run anyway. Otherwise, go to Step 3.

Windows Defender

  1. If User Account Control (UAC) is enabled, click Yes. Otherwise, go to Step 4.

User Account Control

  1. With the Dell Encryption recovery menu open, right-click the Windows Start menu and then click Run.

Run

  1. In the Run UI, type cmd and then press OK.

Run UI

  1. In Command Prompt, Use the cd command to browse to the directory where the LSA recovery bundle is located and then press Enter.

Change directory

Note: The recovery file directory may differ in your environment.
  1. Type LSARecovery_[HOSTNAME] -x 1 -p [PASSWORD] and then press Enter.

LSA recovery bundle command

Note:
  • [HOSTNAME] = Endpoint computer name
  • [PASSWORD] = Password assigned when downloading the LSA recovery bundle
  1. Type LSARecovery_[HOSTNAME] -gpk -p [PASSWORD] and then press Enter.

LSA recovery bundle command

  1. In the LSA recovery bundle folder, go to CMGKRcvr.txt and GPKRCVR.TXT.

Locate files

Note: If multiple CMGKRcvr.txt files are created, locate the file without a number appended.
  1. Copy CMGKRcvr.txt and GPKRCVR.TXT to external media or a share.
Note: If using external media, store CMGKRcvr.txt and GPKRCVR.TXT in a folder. The files may become unusable if stored on the root of external media.
  1. Boot a WinPE environment on the targeted endpoint to recover.
Note: For more information, reference How to Create a Bootable WinPE USB for Dell Encryption Enterprise / Dell Encryption Personal.
  1. Go to CMGKRcvr.txt and GPKRCVR.TXT on the external media or share (Step 9).

Locate files

  1. Type Copy CMGKRcvr.txt [ROOT] and then press Enter.

Copy

Note:
  • [ROOT] represents the root of the operating system boot volume.
  • The root of the operating system boot volume in the example may differ in your environment.
  1. Type Copy GPKRCVR.TXT [ROOT] and then press Enter.

Copy

  1. Remove the WinPE boot media and reboot the endpoint. If Windows does not boot, contact Dell Data Security ProSupport.
Note: For more information, reference Dell Data Security International Support Phone Numbers.

CLI

The recovery bundle allows flexibility in command-line options by using switches.

Parameter Value Required Purpose
-v 1 to 10 No Sets the verbosity level of logs output. 1 is the lowest level of logging with 10 being the highest. The logs are written to the Windows logging directory in LSARecovery.log.
-x 0 No Extracts recovery data for any data that could not be categorized.
1 Extracts recovery data for the system data encryption (SDE) key.
2 Extracts recovery data for the user key.
-d See Example Below No Used with -x or -gpk to designate a directory to create the key.
-p See Example Below Yes, when using -x or -gpk Used to populate the password assigned when downloading the recovery bundle.
-gpk None No Extracts recovery data for the GPK keys.

CLI Examples:

Example #1:

LSARecovery_[HOSTNAME].exe -x 1 -p P@ssw0rd -d C:\Users\Administrator\Desktop\test

Example #1 contains:

  • File = LSARecovery_[HOSTNAME].exe
  • Extracted recovery data = System data encryption (SDE) key
  • Password = P@ssw0rd
  • Directory = C:\Users\Administrator\Desktop\test

Example #2:

LSARecovery_[HOSTNAME].exe -gpk -p Abcd1234

Example #2 contains:

  • File = LSARecovery_[HOSTNAME].exe
  • Extracted recovery data = GPK key
  • Password = Abcd1234
  • Directory = Where LSARecovery_[HOSTNAME].exe is being run from

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption
Article Properties
Article Number: 000126856
Article Type: Solution
Last Modified: 10 Nov 2023
Version:  10
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.