Skip to content

On-prem v1.10.0 - Optional recovery-key CSV inventory

Latest
Latest

Choose a tag to compare

View all tags
@robgrame robgrame released this 11 Jun 09:11
onprem-v1.10.0
ddf6b39

On-prem v1.10.0 — Optional recovery-key CSV inventory

Operators can now disable the recovery-key CSV export from the Settings UI when the database is the sole retention surface for BitLocker keys. The DB (with its DEK-encrypted KeyValue column) keeps the keys; no parallel CSV copy is written to disk on every scan.

✨ Added

  • RuntimeConfig.RecoveryKeyCsvExportEnabled (bool, default true,
    migration AddRecoveryKeyCsvExportEnabled with defaultValue: true to
    preserve pre-v1.10 behaviour on upgrade). When unchecked, the scan job
    skips both recovery-keys_*.csv (key inventory) and
    recovery-key-values_*.csv (sensitive value export).
  • Settings page: new checkbox "Export recovery keys to CSV" in the
    📁 Output fieldset with inline help explaining the interaction with
    the existing Include Recovery Key Values toggle.

🔁 Changed

  • CsvExportService.ExportRecoveryKeysAsync accepts the new enabled flag
    and emits an informational log line on skip; ExportRecoveryKeyValuesAsync
    is now gated by both flags (no point writing values without metadata).
    consistency-results_*.csv and summary_*.csv are unaffected — they hold
    operational stats only and no key material.

Behaviour matrix

RecoveryKeyCsvExportEnabled IncludeRecoveryKeyValue CSV files produced per scan
true (default) false recovery-keys + consistency-results + summary
true true recovery-keys + consistency-results + summary + recovery-key-values
false any consistency-results + summary only

📦 Deploy

Stop-Service BitLockerKeyMonitor.Worker, BitLockerKeyMonitor.Web
Expand-Archive .\BitLockerKeyMonitor-onprem-v1.10.0-Worker-win-x64.zip -DestinationPath C:\Apps\BLKMon\Worker -Force
Expand-Archive .\BitLockerKeyMonitor-onprem-v1.10.0-Web-win-x64.zip    -DestinationPath C:\Apps\BLKMon\Web    -Force
Start-Service BitLockerKeyMonitor.Worker, BitLockerKeyMonitor.Web

Migration AddRecoveryKeyCsvExportEnabled runs automatically at first start; existing rows back-fill to RecoveryKeyCsvExportEnabled = true, so the upgrade is invisible unless you uncheck the box in Settings.

--init-encryption is NOT required.

✅ Verified

  • dotnet build BitLockerKeyMonitor.slnx → 0 warn, 0 err
  • dotnet build BitLockerKeyMonitor.Azure.slnx → 0 warn, 0 err
  • dotnet test BitLockerKeyMonitor.slnx → 120 / 120 passed
  • System.ServiceProcess.ServiceController.dll in Worker ZIP = 92 432 bytes (Windows impl, not the netstandard stub)
  • Published assemblies stamp clean ProductVersion: 1.10.0 (no +<sha> suffix)
Assets 4
Loading