[BitLocker] Encrypting without generating recovery key?

Page 1 of 2 12 LastLast

  1. Posts : 8
    OS
       #1

    [BitLocker] Encrypting without generating recovery key?


    Hi,

    is there a way to encrypt a BitLocker drive without generating a recovery key?

    Other encryption tools such as DiskCryptor/VeraCrypt/TrueCrypt or those found on Linux can simply be used with one PIN, no recovery key required.

    BitLocker also allows to encrypt using a PIN. But, even when using a PIN, it still always seems to require to generate a recovery key in addition.

    Is it possible to disable recovery keys altogether? So that only a PIN is set up to encrypt the drive and nothing else?

    Why would you want a recovery key anyway, when you are already using a PIN? Why would you want to generate two passwords (PIN + recovery key) instead of just one password (only PIN without any recovery key)?
      My Computer


  2. Posts : 809
    Win10
       #2

    BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS describes what the recovery key is used for

    If you don't anticipate any of those scenarios happening to you then just destroy any copies of the recovery key - it's not like someone is going to brute-force a 128-bit key.
      My Computer


  3. Posts : 8
    OS
    Thread Starter
       #3

    PolarNettles said:
    If you don't anticipate any of those scenarios happening to you then just destroy any copies of the recovery key - it's not like someone is going to brute-force a 128-bit key.
    Sorry, but, this would not solve the issue, because:

    When having destroyed all copies of the recovery key and when BitLocker would trigger a recovery event (due to a firmware upgrade without having suspended first or due to a Secure Boot issue or due to whatever), then the machine would boot up asking for the recovery key.

    What do you do then when you have destroyed all copies of the recovery key :)?
      My Computer


  4. Posts : 809
    Win10
       #4

    Then it would be the same as if you lost your Veracrypt key - you're screwed.
      My Computer


  5. Posts : 8
    OS
    Thread Starter
       #5

    PolarNettles said:
    Then it would be the same as if you lost your Veracrypt key - you're screwed.
    Sorry, no offense, but you do not seem to understand.

    For VeraCrypt there's just one PIN (let's call it PIN, can also be a password of course). It needs to be entered upon boot or when decrypting the drive. It's just one PIN.

    On Linux and Android, there's also just one PIN that you need to enter upon boot or when you want to decrypt the drive.

    On VeryCrypt / Linux / Android there's no additional 48 digit recovery key. There's just the PIN you enter upon boot and that's it.

    BitLocker also allows to set a PIN (or password) which you can enter upon boot or when decrypting the drive.

    HOWEVER: With BitLocker there's also another 48 digit recovery key in addition by default. So there are two PINs.

    Is there any way to disable that 48 digit additional recovery key so that BitLocker can be used with just one PIN only?
      My Computer


  6. Posts : 809
    Win10
       #6

    Edit: See later posts

    I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

    The actual encryption/decryption key is 128 bits. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    The recovery key is also 128 bits and is unrelated to the encryption key. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    So whether you attack the actual key or the recovery key, you have the same probability of success.

    There's no way to skip generation of the recovery key but it is literally just a random number.

    Edit: Sorry, I take that back. You can disable the recovery password in group policy.
    [BitLocker] Encrypting without generating recovery key?-image.png
    Last edited by PolarNettles; 03 Jan 2018 at 15:48.
      My Computer


  7. Posts : 5,478
    2004
       #7

    qp0615932 said:
    Sorry, no offense, but you do not seem to understand.
    No offense either but you don't understand how bitlocker works.

    You don't need a pin at all. You can define one or not as you wish. You can require TPM or not. You can require (or not) a USB or smartcard.

    Now if you are connected to AD you can stop recovery using recovery key but @PolarNettles was right the first time. It is generated. If you are on a domain it can be saved on the server and only unlock in that case.

    If you set up a PIN it will ask for it. If you change the BIOS or whatever it will ask for the recovery key. Your PIN is insufficient. You can disable this (and the drive will only unlock if you are also connected to a domain) but no you can not say "PIN will always unlock". It won't.

    The point is a drive will only unlock if nothing has changed and you know your PIN, have put in your smartcard etc etc. If you changed boot order in BIOS then your PIN will not work. You will have to enter the recovery key (from somewhere).

    If you haven't recorded the recovery key (and can't get it from domain server or Microsoft.com) then you are, as mentioned before, screwed.
      My Computer


  8. Posts : 8
    OS
    Thread Starter
       #8

    PolarNettles said:
    I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

    No, that is wrong.

    Because it's not possible to tell Windows to never ask for the recovery key.

    If that would be possible, then yes, you could destroy every copy of the recovery key. But since Windows will ask for the recovery key (when you typed the PIN incorrectly too often or when you changed a BIOS setting without suspending BitLocker, or when Secure Boot triggers a recovery for example), you can not simply destroy every copy of the recovery key.

    This thread is about how to disable the recovery feature altogether.

    PolarNettles said:
    There's no way to skip generation of the recovery key but it is literally just a random number.

    No, it is not just a random number, see above.

    PolarNettles said:
    Edit: Sorry, I take that back. You can disable the recovery password in group policy.
    [BitLocker] Encrypting without generating recovery key?-image.png

    Unfortunately that is also wrong.

    When selecting "Do not allow 48-digit recovery password", you have to use a 256-bit recovery key on a USB flash drive instead.

    When trying to disable both:

    [BitLocker] Encrypting without generating recovery key?-bitlocker_disable_both.png

    Trying to enable BitLocker will result in:

    [BitLocker] Encrypting without generating recovery key?-bitlocker_fail.png

    So, you either have to allow the 48-digit recovery password and save it as a TXT file or print it or you have to allow the 256-bit recovery key and save it on a USB flash drive.

    You can not use a PIN/password without using a 48-digit recovery password and without a 256-bit recovery key.

    This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.
      My Computer


  9. Posts : 5,478
    2004
       #9

    qp0615932 said:
    This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.
    You can not. Hope that is clearer.
      My Computer


  10. Posts : 8
    OS
    Thread Starter
       #10

    lx07 said:
    You can not. Hope that is clearer.

    Okay, then, since you pointed out that I would not understand how BitLocker works:

    Can you please explain to us why exactly BitLocker can not work with just one PIN/password like it is being done on VeraCrypt / Linux / Android etc.?

    Why does it depend on a recovery mechanism whereas others do not?
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 22:08.
Find Us




Windows 10 Forums