[BitLocker] Encrypting without generating recovery key?

PolarNettles · 03 Jan 2018

The recovery key is actually a random number: BitLocker recovery password details System Integrity Team Blog

You are correct in that you still need the recovery key in case of some BIOS/TPM change. I'll strike out that part from my earlier post to remove confusion.

Veracrypt does not use the TPM. Therefore its keys are stored on the drive itself. I am not too familiar with how Linux encryption is done but it looks like dm-crypt/LUKS don't use the TPM either.

Bitlocker does store the keys in the TPM. And if the PCRs change (due to a BIOS/HW/bootloader change) then the TPM won't unseal the encryption key. That's why you need the recovery key.

qp0615932 · 03 Jan 2018

PolarNettles said:

Bitlocker does store the keys in the TPM. And if the PCRs change (due to a BIOS/HW/bootloader change) then the TPM won't unseal the encryption key. That's why you need the recovery key.

Sorry, but wrong again :).

BitLocker can also be used without having a TPM and that is actually what I want to do :).

So, why do I need to make use of BitLocker's recovery mechanism even if I do not have a TPM and use a PIN instead

?

qp0615932 · 04 Jan 2018

With a bit of know-how (that particular group policy really isn't intuitive), perhaps it would be possible to prevent the recovery events with the following group policy:

[BitLocker] Encrypting without generating recovery key?-bitlocker_enhanced_bcd.png

But there would probably still be a recovery event in case the PIN gets typed wrong too many times.

win10freak · 06 Jan 2018

I just wish that future PCs/laptops will have the capability to encrypt data just like the way it is done on modern smartphones these days.
For example, on the iPhone or even Android devices encryption is done by creating a PIN or a Passcode without the need to create or generate a recovery key. Because the Passcode or a PIN is the actual recovery key to decrypt data on the phone.

This would be more easier on PCs if they would implement the same technology as they do on smartphones.
That way, users don't have to worry about where and how to store the actual recover keys.

So basically, I wish PCs would do the same technology the same way as they do on these phones where all you need is a PIN to decrypt the device.

For example, a Username and Password would be the recovery key without the need to generate one separately.
I think that would be a good idea for the next versions of Windows in the future. But that would also imply to PC manufacturers as well.

qp0615932 · 21 Jan 2018

win10freak said:

I just wish that future PCs/laptops will have the capability to encrypt data just like the way it is done on modern smartphones these days.
For example, on the iPhone or even Android devices encryption is done by creating a PIN or a Passcode without the need to create or generate a recovery key. Because the Passcode or a PIN is the actual recovery key to decrypt data on the phone.

Actually it does not have anything to do with PC vs. smartphone.

PCs running Linux (i.e. Ubuntu etc.) are doing it the same way it is being done on Android phones. The PIN/Password is the actual recovery key to decrypt data on the PC with Ubuntu and other Linux distros.

It's just that MS Windows is requiring an additional recovery key (maybe macOS as well).

AC108 · 08 Dec 2022

the simple answer is, because it's made by microsoft, so it has to be super secure as are other MS products

cereberus · 08 Dec 2022

qp0615932 said:

Sorry, but wrong again :).

BitLocker can also be used without having a TPM and that is actually what I want to do :).

So, why do I need to make use of BitLocker's recovery mechanism even if I do not have a TPM and use a PIN instead

?

Why not ask all the people who forgot their PIN?

The bitlocker recovery mechanism is for people who forget their password or pins.

Anibor · 08 Dec 2022

cereberus said:

Why not ask all the people who forgot their PIN?

In Android, if you forget the PIN, you can recover the phone by login to the Google account.

cereberus · 08 Dec 2022

Anibor said:

In Android, if you forget the PIN, you can recover the phone by login to the Google account.

Windows PIN is completely different - it only works on local machines to stop hackers accessing pc.

This thread is about bitlocker encryption.

A Bitlocker PIN is also different to the Windows PIN.

A Bitlocker PIN kicks in at the boot level before Windows starts.

To really lock down device:-

1) have a strong bitlocker pin - nobody can access bitlocked drives even if it has TPM unless Bitlocker PIN is known.

2) have a strong Windows PIN or other Windows Hello setup

3) Have a strong underlying Windows Password

4) Use a strong bios password to prevent people using usb drive unless authorised

5) turn off ability to boot from usb drives in Group Policy

In the end, it depends on your needs.

I have a travel laptop that I use outside of my flat - that is secured with above. I sometimes use the SD card slot to copy data - it is not possible to boot from and sd card.

Nobody is ever likely to access this device even if they steal it and drive is an emmc drive and hence non removable. Thieves will end up with a useless device.

If I forget anything I can recover in most instances (Bitlocker Recovery Key, MS account password recovery). If I forget Bios password, I am somewhat scuppered - I do not know any way round that for my device - laptop is a sealed unit and virtually impossible to take apart. No upgrades to internals is possible. I do have a safe copy of that in a hidden place.

My devices at home are not bitlocked as my flat is secure (deadlock bolts etc) plus a front door with security system to flat complex. Very unlikely home devices could get stolen, unless by a visitor.