Crypt for Windows

BitLocker recovery key escrow to Crypt Server with full key rotation support.

A native Windows implementation inspired by the Mac Crypt client, built with .NET 10 for escrowing BitLocker recovery keys with automatic key rotation, enterprise logging, and scheduled task integration.

Features

• Escrow BitLocker recovery keys to Crypt Server
• Full key rotation support (create new key, escrow, cleanup old keys)
• Automatic rotation when server requests it
• Verify escrow status via Crypt Server API
• YAML configuration file with environment variable fallback
• Windows scheduled task registration
• Structured logging with Serilog
• Single-file self-contained executable (no .NET runtime required)
• ARM64 and x64 native binaries
• Intune-compatible exit codes

Mac Crypt-Inspired Features

• KeyEscrowInterval: Configurable re-escrow interval (default: 1 hour)
• ValidateKey: Local key validation before escrow
• SkipUsers: Array of users to skip from escrow enforcement
• PostRunCommand: Command to run after error conditions
• Log Rotation: Configurable log retention (default: 30 days)

Installation

Download Release

Download the latest release from GitHub Releases:

• checkin-x64.exe - For Intel/AMD systems
• checkin-arm64.exe - For ARM64 systems (Surface Pro X, etc.)

Note: The binary is named checkin (following Mac Crypt convention). When installed via MSI, it is added to PATH as checkin.exe in C:\Program Files\Crypt\.

Build from Source

# Full build with auto-signing (if certificate available)
.\build.ps1

# Build without signing
.\build.ps1 -NoSign

# Build specific architecture
.\build.ps1 -Runtime win-x64

Quick Start

1. Configure the Server URL

# Option A: Set via command
checkin config set server.url https://crypt.example.com

# Option B: Set via environment variable
setx CRYPT_ESCROW_SERVER_URL "https://crypt.example.com" /M

2. Escrow the BitLocker Key

checkin escrow

3. Verify Escrow Status

checkin verify

Commands

escrow

Escrows the BitLocker recovery key to the Crypt Server.

checkin escrow [options]

Options:
  -s, --server <url>     Crypt Server URL
  -d, --drive <drive>    Drive letter (default: C:)
  -f, --force            Force escrow even if already escrowed
  --skip-cert-check      Skip TLS certificate validation

rotate

Rotates the BitLocker recovery key and escrows the new key.

checkin rotate [options]

Options:
  -s, --server <url>     Crypt Server URL
  -d, --drive <drive>    Drive letter (default: C:)
  -c, --cleanup          Remove old protectors (default: true)
  --skip-cert-check      Skip TLS certificate validation

verify

Checks if a key has been escrowed for the current device.

checkin verify [options]

Options:
  -s, --server <url>     Crypt Server URL
  --skip-cert-check      Skip TLS certificate validation

config

Manage configuration settings.

# Show current configuration
checkin config show

# Set a configuration value
checkin config set server.url https://crypt.example.com
checkin config set escrow.auto_rotate true
checkin config set escrow.key_escrow_interval_hours 2

register-task

Registers a Windows scheduled task for automated escrow.

checkin register-task [options]

Options:
  -s, --server <url>     Crypt Server URL
  -f, --frequency        Task frequency: hourly, daily, weekly, login (default: daily)

Configuration

Configuration is loaded from (in order of precedence):

1. Command-line options
2. Environment variables
3. Registry (CSP/OMA-URI from Intune)
4. YAML configuration file

Configuration File

Location: C:\ProgramData\ManagedEncryption\config.yaml

server:
  url: https://crypt.example.com
  verify_ssl: true
  timeout_seconds: 30
  retry_attempts: 3
  auth:
    api_key: your-secret-api-key
    api_key_header: X-API-Key
    use_mtls: false
    certificate_subject: crypt-client.example.com
    certificate_store_location: LocalMachine
    certificate_store_name: My

escrow:
  secret_type: recovery_key
  auto_rotate: true
  cleanup_old_protectors: true
  key_escrow_interval_hours: 1
  validate_key: true
  post_run_command: null
  skip_users:
    - admin
    - service_account

logging:
  level: INFO
  retained_days: 30

Environment Variables

Variable	Description
CRYPT_ESCROW_SERVER_URL	Crypt Server URL
CRYPT_ESCROW_SKIP_CERT_CHECK	Skip SSL verification (true/false)
CRYPT_ESCROW_AUTO_ROTATE	Auto-rotate on server request
CRYPT_ESCROW_CLEANUP_OLD_PROTECTORS	Remove old protectors
CRYPT_KEY_ESCROW_INTERVAL	Re-escrow interval in hours
CRYPT_VALIDATE_KEY	Validate key locally before escrow
CRYPT_SKIP_USERS	Comma-separated list of users to skip
CRYPT_POST_RUN_COMMAND	Command to run after errors
CRYPT_API_KEY	API key for server authentication
CRYPT_API_KEY_HEADER	Custom API key header name (default: X-API-Key)
CRYPT_USE_MTLS	Enable mutual TLS authentication (true/false)
CRYPT_CERT_SUBJECT	Client certificate subject name for mTLS
CRYPT_CERT_THUMBPRINT	Client certificate thumbprint for mTLS

Authentication

The client supports API key and mutual TLS (mTLS) authentication.

API Key:

server:
  auth:
    api_key: your-secret-api-key
    api_key_header: X-API-Key  # custom header name (default)

Or via environment variables: CRYPT_API_KEY and CRYPT_API_KEY_HEADER.

Mutual TLS (mTLS):

Similar to Mac Crypt's CommonNameForEscrow feature. Uses a client certificate from the Windows Certificate Store.

server:
  auth:
    use_mtls: true
    certificate_subject: crypt-client.example.com  # or use certificate_thumbprint
    certificate_store_location: LocalMachine        # or CurrentUser
    certificate_store_name: My

Or via environment variables: CRYPT_USE_MTLS, CRYPT_CERT_SUBJECT, CRYPT_CERT_THUMBPRINT.

Registry Configuration (CSP/OMA-URI)

Enterprise policies can be deployed via Intune CSP/OMA-URI to these registry locations:

Standard Group Policy Path: HKLM\SOFTWARE\Policies\Crypt\ManagedEncryption

MDM/Intune Path: HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Crypt~Policy~ManagedEncryption

Value Name	Type	Description
ServerUrl	String	Crypt Server URL (e.g., https://crypt.example.com)
SkipCertCheck	String/DWORD	Skip SSL verification (true/1 or false/0)
AutoRotate	String/DWORD	Auto-rotate on server request
CleanupOldProtectors	String/DWORD	Remove old protectors after escrow
KeyEscrowIntervalHours	String/DWORD	Re-escrow interval in hours
ValidateKey	String/DWORD	Validate key locally before escrow
SkipUsers	String	Comma-separated list of users to skip
PostRunCommand	String	Command to run after errors
ApiKey	String	API key for server authentication
ApiKeyHeader	String	Custom API key header name (default: X-API-Key)
UseMtls	String/DWORD	Enable mutual TLS authentication (true/1 or false/0)
CertificateSubject	String	Client certificate subject name for mTLS
CertificateThumbprint	String	Client certificate thumbprint for mTLS

Intune Custom OMA-URI Example:

• OMA-URI: ./Device/Vendor/MSFT/Registry/HKLM/SOFTWARE/Policies/Crypt/ManagedEncryption/ServerUrl
• Data type: String
• Value: https://crypt.example.com

Exit Codes

For Intune proactive remediation compatibility:

Code	Meaning
0	Success - key escrowed
1	BitLocker not enabled
2	No recovery password protector found
3	Network/server error (retry-able)
4	Configuration error
5	Key rotation failed
6	Insufficient permissions (requires administrator)
7	Authentication failed (invalid or missing API key)
10	Already escrowed, no action needed

Intune Proactive Remediation

Detection Script

$result = & "C:\Program Files\Crypt\checkin.exe" verify
exit $LASTEXITCODE

Remediation Script

$result = & "C:\Program Files\Crypt\checkin.exe" escrow
exit $LASTEXITCODE

Building

Prerequisites

• .NET 10 SDK
• Windows SDK (for code signing, optional)

Build Commands

# Full build with auto-signing
.\build.ps1

# Build without signing
.\build.ps1 -NoSign

# Build with specific certificate
.\build.ps1 -Sign -CertificateName "Your Certificate CN"
.\build.ps1 -Sign -Thumbprint "CERTIFICATE_THUMBPRINT"

# Debug build
.\build.ps1 -Configuration Debug

# Single architecture
.\build.ps1 -Runtime win-x64
.\build.ps1 -Runtime win-arm64

Code Signing

The build script automatically detects code signing certificates from the Windows certificate store. For CI/CD pipelines, set:

• SIGNTOOL_PATH - Path to signtool.exe
• Use -CertificateName or -Thumbprint to specify the certificate

Logging

Logs are written to C:\ProgramData\CryptEscrow\Logs\CryptEscrow_YYYYMMDD.log

Log rotation is automatic with configurable retention (default: 30 days).

Requirements

• Windows 10/11 or Windows Server 2016+
• BitLocker enabled on target drive
• Administrator privileges
• Network access to Crypt Server

Additional Documentation

• Intune CSP/OMA-URI Configuration Guide — detailed Intune setup with OMA-URI examples and PowerShell scripts
• Deployment Guide — Cimian deployment, testing, and monitoring
• Changelog — version history
• Example Configuration — fully commented config template

Credits

Inspired by:

• Crypt by Graham Gilbert (Mac client)
• crypt-bde by Bryan Demetris
• bitlocker2crypt by Johnny Ramos
• Crypt-Server by Graham Gilbert

License

MIT License - see LICENSE for details.