[BitLocker] Encrypting without generating recovery key?

Page 2 of 2 FirstFirst 12

  1. Posts : 809
    Win10
       #11

    The recovery key is actually a random number: BitLocker recovery password details System Integrity Team Blog

    You are correct in that you still need the recovery key in case of some BIOS/TPM change. I'll strike out that part from my earlier post to remove confusion.

    Veracrypt does not use the TPM. Therefore its keys are stored on the drive itself. I am not too familiar with how Linux encryption is done but it looks like dm-crypt/LUKS don't use the TPM either.

    Bitlocker does store the keys in the TPM. And if the PCRs change (due to a BIOS/HW/bootloader change) then the TPM won't unseal the encryption key. That's why you need the recovery key.
      My Computer


  2. Posts : 8
    OS
    Thread Starter
       #12

    PolarNettles said:
    Bitlocker does store the keys in the TPM. And if the PCRs change (due to a BIOS/HW/bootloader change) then the TPM won't unseal the encryption key. That's why you need the recovery key.

    Sorry, but wrong again :).

    BitLocker can also be used without having a TPM and that is actually what I want to do :).

    So, why do I need to make use of BitLocker's recovery mechanism even if I do not have a TPM and use a PIN instead ?
      My Computer


  3. Posts : 8
    OS
    Thread Starter
       #13

    With a bit of know-how (that particular group policy really isn't intuitive), perhaps it would be possible to prevent the recovery events with the following group policy:

    [BitLocker] Encrypting without generating recovery key?-bitlocker_enhanced_bcd.png

    But there would probably still be a recovery event in case the PIN gets typed wrong too many times.
      My Computer


  4. Posts : 742
    Win10
       #14

    I just wish that future PCs/laptops will have the capability to encrypt data just like the way it is done on modern smartphones these days.
    For example, on the iPhone or even Android devices encryption is done by creating a PIN or a Passcode without the need to create or generate a recovery key. Because the Passcode or a PIN is the actual recovery key to decrypt data on the phone.

    This would be more easier on PCs if they would implement the same technology as they do on smartphones.
    That way, users don't have to worry about where and how to store the actual recover keys.

    So basically, I wish PCs would do the same technology the same way as they do on these phones where all you need is a PIN to decrypt the device.

    For example, a Username and Password would be the recovery key without the need to generate one separately.
    I think that would be a good idea for the next versions of Windows in the future. But that would also imply to PC manufacturers as well.
      My Computer


  5. Posts : 8
    OS
    Thread Starter
       #15

    win10freak said:
    I just wish that future PCs/laptops will have the capability to encrypt data just like the way it is done on modern smartphones these days.
    For example, on the iPhone or even Android devices encryption is done by creating a PIN or a Passcode without the need to create or generate a recovery key. Because the Passcode or a PIN is the actual recovery key to decrypt data on the phone.
    Actually it does not have anything to do with PC vs. smartphone.

    PCs running Linux (i.e. Ubuntu etc.) are doing it the same way it is being done on Android phones. The PIN/Password is the actual recovery key to decrypt data on the PC with Ubuntu and other Linux distros.

    It's just that MS Windows is requiring an additional recovery key (maybe macOS as well).
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 22:19.
Find Us




Windows 10 Forums