Page 1 of 2 12 LastLast
  1.    2 Weeks Ago #1
    Join Date : Jan 2018
    Posts : 7
    OS

    [BitLocker] Encrypting without generating recovery key?


    Hi,

    is there a way to encrypt a BitLocker drive without generating a recovery key?

    Other encryption tools such as DiskCryptor/VeraCrypt/TrueCrypt or those found on Linux can simply be used with one PIN, no recovery key required.

    BitLocker also allows to encrypt using a PIN. But, even when using a PIN, it still always seems to require to generate a recovery key in addition.

    Is it possible to disable recovery keys altogether? So that only a PIN is set up to encrypt the drive and nothing else?

    Why would you want a recovery key anyway, when you are already using a PIN? Why would you want to generate two passwords (PIN + recovery key) instead of just one password (only PIN without any recovery key)?
      My ComputerSystem Spec
  2.    2 Weeks Ago #2
    Join Date : Oct 2017
    Posts : 195
    Win10

    BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS describes what the recovery key is used for

    If you don't anticipate any of those scenarios happening to you then just destroy any copies of the recovery key - it's not like someone is going to brute-force a 128-bit key.
      My ComputerSystem Spec
  3.    2 Weeks Ago #3
    Join Date : Jan 2018
    Posts : 7
    OS
    Thread Starter

    Quote Originally Posted by PolarNettles View Post
    If you don't anticipate any of those scenarios happening to you then just destroy any copies of the recovery key - it's not like someone is going to brute-force a 128-bit key.
    Sorry, but, this would not solve the issue, because:

    When having destroyed all copies of the recovery key and when BitLocker would trigger a recovery event (due to a firmware upgrade without having suspended first or due to a Secure Boot issue or due to whatever), then the machine would boot up asking for the recovery key.

    What do you do then when you have destroyed all copies of the recovery key ?
      My ComputerSystem Spec
  4.    2 Weeks Ago #4
    Join Date : Oct 2017
    Posts : 195
    Win10

    Then it would be the same as if you lost your Veracrypt key - you're screwed.
      My ComputerSystem Spec
  5.    2 Weeks Ago #5
    Join Date : Jan 2018
    Posts : 7
    OS
    Thread Starter

    Quote Originally Posted by PolarNettles View Post
    Then it would be the same as if you lost your Veracrypt key - you're screwed.
    Sorry, no offense, but you do not seem to understand.

    For VeraCrypt there's just one PIN (let's call it PIN, can also be a password of course). It needs to be entered upon boot or when decrypting the drive. It's just one PIN.

    On Linux and Android, there's also just one PIN that you need to enter upon boot or when you want to decrypt the drive.

    On VeryCrypt / Linux / Android there's no additional 48 digit recovery key. There's just the PIN you enter upon boot and that's it.

    BitLocker also allows to set a PIN (or password) which you can enter upon boot or when decrypting the drive.

    HOWEVER: With BitLocker there's also another 48 digit recovery key in addition by default. So there are two PINs.

    Is there any way to disable that 48 digit additional recovery key so that BitLocker can be used with just one PIN only?
      My ComputerSystem Spec
  6.    2 Weeks Ago #6
    Join Date : Oct 2017
    Posts : 195
    Win10

    Edit: See later posts

    I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

    The actual encryption/decryption key is 128 bits. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    The recovery key is also 128 bits and is unrelated to the encryption key. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    So whether you attack the actual key or the recovery key, you have the same probability of success.

    There's no way to skip generation of the recovery key but it is literally just a random number.

    Edit: Sorry, I take that back. You can disable the recovery password in group policy.
    Click image for larger version. 

Name:	image.png 
Views:	16 
Size:	22.5 KB 
ID:	170710
    Last edited by PolarNettles; 2 Weeks Ago at 16:48.
      My ComputerSystem Spec
  7.    2 Weeks Ago #7
    Join Date : Jul 2015
    Posts : 3,960
    10 Pro

    Quote Originally Posted by qp0615932 View Post
    Sorry, no offense, but you do not seem to understand.
    No offense either but you don't understand how bitlocker works.

    You don't need a pin at all. You can define one or not as you wish. You can require TPM or not. You can require (or not) a USB or smartcard.

    Now if you are connected to AD you can stop recovery using recovery key but @PolarNettles was right the first time. It is generated. If you are on a domain it can be saved on the server and only unlock in that case.

    If you set up a PIN it will ask for it. If you change the BIOS or whatever it will ask for the recovery key. Your PIN is insufficient. You can disable this (and the drive will only unlock if you are also connected to a domain) but no you can not say "PIN will always unlock". It won't.

    The point is a drive will only unlock if nothing has changed and you know your PIN, have put in your smartcard etc etc. If you changed boot order in BIOS then your PIN will not work. You will have to enter the recovery key (from somewhere).

    If you haven't recorded the recovery key (and can't get it from domain server or Microsoft.com) then you are, as mentioned before, screwed.
      My ComputerSystem Spec
  8.    2 Weeks Ago #8
    Join Date : Jan 2018
    Posts : 7
    OS
    Thread Starter

    Quote Originally Posted by PolarNettles View Post
    I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

    No, that is wrong.

    Because it's not possible to tell Windows to never ask for the recovery key.

    If that would be possible, then yes, you could destroy every copy of the recovery key. But since Windows will ask for the recovery key (when you typed the PIN incorrectly too often or when you changed a BIOS setting without suspending BitLocker, or when Secure Boot triggers a recovery for example), you can not simply destroy every copy of the recovery key.

    This thread is about how to disable the recovery feature altogether.

    Quote Originally Posted by PolarNettles View Post
    There's no way to skip generation of the recovery key but it is literally just a random number.

    No, it is not just a random number, see above.

    Quote Originally Posted by PolarNettles View Post
    Edit: Sorry, I take that back. You can disable the recovery password in group policy.
    Click image for larger version. 

Name:	image.png 
Views:	16 
Size:	22.5 KB 
ID:	170710

    Unfortunately that is also wrong.

    When selecting "Do not allow 48-digit recovery password", you have to use a 256-bit recovery key on a USB flash drive instead.

    When trying to disable both:

    Click image for larger version. 

Name:	BitLocker_disable_both.png 
Views:	16 
Size:	57.2 KB 
ID:	170721

    Trying to enable BitLocker will result in:

    Click image for larger version. 

Name:	BitLocker_fail.png 
Views:	16 
Size:	10.0 KB 
ID:	170722

    So, you either have to allow the 48-digit recovery password and save it as a TXT file or print it or you have to allow the 256-bit recovery key and save it on a USB flash drive.

    You can not use a PIN/password without using a 48-digit recovery password and without a 256-bit recovery key.

    This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.
      My ComputerSystem Spec
  9.    2 Weeks Ago #9
    Join Date : Jul 2015
    Posts : 3,960
    10 Pro

    Quote Originally Posted by qp0615932 View Post
    This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.
    You can not. Hope that is clearer.
      My ComputerSystem Spec
  10.    2 Weeks Ago #10
    Join Date : Jan 2018
    Posts : 7
    OS
    Thread Starter

    Quote Originally Posted by lx07 View Post
    You can not. Hope that is clearer.

    Okay, then, since you pointed out that I would not understand how BitLocker works:

    Can you please explain to us why exactly BitLocker can not work with just one PIN/password like it is being done on VeraCrypt / Linux / Android etc.?

    Why does it depend on a recovery mechanism whereas others do not?
      My ComputerSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Solved Bitlocker not encrypting document partition (Windows 10 Pro)
I've turned on Bitlocker on my laptop. It doesn't seem to have encrypted all of my logical drives, and for a couple of them it doesn't give me the option. I have a 1 TB hybrid drive which currently has 4 partitions: C, E, F, and a recovery...
AntiVirus, Firewalls and System Security
Is encrypting all my drives with Bitlocker necessary?
Is encrypting each and every one of my drives with BitLocker necessary? I highly doubt my PC will ever be swapped or anything. I wonder how many people even use the feature.
AntiVirus, Firewalls and System Security
BitLocker encrypting Used or Entire space?
I usually been reinstalling Win10 to get rid of the so called "clutter" on my system to make it more fresh and such. Regarding BitLocker, I always select to encrypt the entire drive as opposed to encrypting used spaced only. The entire drive...
AntiVirus, Firewalls and System Security
Solved ugh i forgot i was encrypting my drive with bitlocker???
So oh hum i forgot i was encrypting my drive today with bitlocker and i updated my realtek audio drivers,and its asking me to reboot, can I reboot when bitlocker is encrypting or should i just wait till its finished and then reboot its been running...
AntiVirus, Firewalls and System Security
Solved Can I shut down my PC while BitLocker is encrypting?
What would happen if my computer shuts down while BitLocker is encrypting my data partition drive? It takes ages! I am running Windows 10 Pro Thank you very much in advance
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 20:05.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums