Windows 10: [BitLocker] Encrypting without generating recovery key?

Page 1 of 2 12 LastLast
  1.    03 Jan 2018 #1

    [BitLocker] Encrypting without generating recovery key?


    Hi,

    is there a way to encrypt a BitLocker drive without generating a recovery key?

    Other encryption tools such as DiskCryptor/VeraCrypt/TrueCrypt or those found on Linux can simply be used with one PIN, no recovery key required.

    BitLocker also allows to encrypt using a PIN. But, even when using a PIN, it still always seems to require to generate a recovery key in addition.

    Is it possible to disable recovery keys altogether? So that only a PIN is set up to encrypt the drive and nothing else?

    Why would you want a recovery key anyway, when you are already using a PIN? Why would you want to generate two passwords (PIN + recovery key) instead of just one password (only PIN without any recovery key)?
      My ComputerSystem Spec

  2.    03 Jan 2018 #2

    BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS describes what the recovery key is used for

    If you don't anticipate any of those scenarios happening to you then just destroy any copies of the recovery key - it's not like someone is going to brute-force a 128-bit key.
      My ComputerSystem Spec

  3.    03 Jan 2018 #3

    PolarNettles said: View Post
    If you don't anticipate any of those scenarios happening to you then just destroy any copies of the recovery key - it's not like someone is going to brute-force a 128-bit key.
    Sorry, but, this would not solve the issue, because:

    When having destroyed all copies of the recovery key and when BitLocker would trigger a recovery event (due to a firmware upgrade without having suspended first or due to a Secure Boot issue or due to whatever), then the machine would boot up asking for the recovery key.

    What do you do then when you have destroyed all copies of the recovery key :)?
      My ComputerSystem Spec

  4.    03 Jan 2018 #4

    Then it would be the same as if you lost your Veracrypt key - you're screwed.
      My ComputerSystem Spec

  5.    03 Jan 2018 #5

    PolarNettles said: View Post
    Then it would be the same as if you lost your Veracrypt key - you're screwed.
    Sorry, no offense, but you do not seem to understand.

    For VeraCrypt there's just one PIN (let's call it PIN, can also be a password of course). It needs to be entered upon boot or when decrypting the drive. It's just one PIN.

    On Linux and Android, there's also just one PIN that you need to enter upon boot or when you want to decrypt the drive.

    On VeryCrypt / Linux / Android there's no additional 48 digit recovery key. There's just the PIN you enter upon boot and that's it.

    BitLocker also allows to set a PIN (or password) which you can enter upon boot or when decrypting the drive.

    HOWEVER: With BitLocker there's also another 48 digit recovery key in addition by default. So there are two PINs.

    Is there any way to disable that 48 digit additional recovery key so that BitLocker can be used with just one PIN only?
      My ComputerSystem Spec

  6.    03 Jan 2018 #6

    Edit: See later posts

    I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

    The actual encryption/decryption key is 128 bits. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    The recovery key is also 128 bits and is unrelated to the encryption key. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    So whether you attack the actual key or the recovery key, you have the same probability of success.

    There's no way to skip generation of the recovery key but it is literally just a random number.

    Edit: Sorry, I take that back. You can disable the recovery password in group policy.
    Click image for larger version. 

Name:	image.png 
Views:	23 
Size:	22.5 KB 
ID:	170710
    Last edited by PolarNettles; 03 Jan 2018 at 16:48.
      My ComputerSystem Spec

  7.    03 Jan 2018 #7

    qp0615932 said: View Post
    Sorry, no offense, but you do not seem to understand.
    No offense either but you don't understand how bitlocker works.

    You don't need a pin at all. You can define one or not as you wish. You can require TPM or not. You can require (or not) a USB or smartcard.

    Now if you are connected to AD you can stop recovery using recovery key but @PolarNettles was right the first time. It is generated. If you are on a domain it can be saved on the server and only unlock in that case.

    If you set up a PIN it will ask for it. If you change the BIOS or whatever it will ask for the recovery key. Your PIN is insufficient. You can disable this (and the drive will only unlock if you are also connected to a domain) but no you can not say "PIN will always unlock". It won't.

    The point is a drive will only unlock if nothing has changed and you know your PIN, have put in your smartcard etc etc. If you changed boot order in BIOS then your PIN will not work. You will have to enter the recovery key (from somewhere).

    If you haven't recorded the recovery key (and can't get it from domain server or Microsoft.com) then you are, as mentioned before, screwed.
      My ComputerSystem Spec

  8.    03 Jan 2018 #8

    PolarNettles said: View Post
    I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

    No, that is wrong.

    Because it's not possible to tell Windows to never ask for the recovery key.

    If that would be possible, then yes, you could destroy every copy of the recovery key. But since Windows will ask for the recovery key (when you typed the PIN incorrectly too often or when you changed a BIOS setting without suspending BitLocker, or when Secure Boot triggers a recovery for example), you can not simply destroy every copy of the recovery key.

    This thread is about how to disable the recovery feature altogether.

    PolarNettles said: View Post
    There's no way to skip generation of the recovery key but it is literally just a random number.

    No, it is not just a random number, see above.

    PolarNettles said: View Post
    Edit: Sorry, I take that back. You can disable the recovery password in group policy.
    Click image for larger version. 

Name:	image.png 
Views:	23 
Size:	22.5 KB 
ID:	170710

    Unfortunately that is also wrong.

    When selecting "Do not allow 48-digit recovery password", you have to use a 256-bit recovery key on a USB flash drive instead.

    When trying to disable both:

    Click image for larger version. 

Name:	BitLocker_disable_both.png 
Views:	23 
Size:	57.2 KB 
ID:	170721

    Trying to enable BitLocker will result in:

    Click image for larger version. 

Name:	BitLocker_fail.png 
Views:	23 
Size:	10.0 KB 
ID:	170722

    So, you either have to allow the 48-digit recovery password and save it as a TXT file or print it or you have to allow the 256-bit recovery key and save it on a USB flash drive.

    You can not use a PIN/password without using a 48-digit recovery password and without a 256-bit recovery key.

    This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.
      My ComputerSystem Spec

  9.    03 Jan 2018 #9

    qp0615932 said: View Post
    This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.
    You can not. Hope that is clearer.
      My ComputerSystem Spec

  10.    03 Jan 2018 #10

    lx07 said: View Post
    You can not. Hope that is clearer.

    Okay, then, since you pointed out that I would not understand how BitLocker works:

    Can you please explain to us why exactly BitLocker can not work with just one PIN/password like it is being done on VeraCrypt / Linux / Android etc.?

    Why does it depend on a recovery mechanism whereas others do not?
      My ComputerSystem Spec


 
Page 1 of 2 12 LastLast

Related Threads
Solved Bitlocker not encrypting document partition (Windows 10 Pro) in AntiVirus, Firewalls and System Security
I've turned on Bitlocker on my laptop. It doesn't seem to have encrypted all of my logical drives, and for a couple of them it doesn't give me the option. I have a 1 TB hybrid drive which currently has 4 partitions: C, E, F, and a recovery...
Is encrypting all my drives with Bitlocker necessary? in AntiVirus, Firewalls and System Security
Is encrypting each and every one of my drives with BitLocker necessary? I highly doubt my PC will ever be swapped or anything. I wonder how many people even use the feature.
BitLocker encrypting Used or Entire space? in AntiVirus, Firewalls and System Security
I usually been reinstalling Win10 to get rid of the so called "clutter" on my system to make it more fresh and such. Regarding BitLocker, I always select to encrypt the entire drive as opposed to encrypting used spaced only. The entire drive...
Solved ugh i forgot i was encrypting my drive with bitlocker??? in AntiVirus, Firewalls and System Security
So oh hum i forgot i was encrypting my drive today with bitlocker and i updated my realtek audio drivers,and its asking me to reboot, can I reboot when bitlocker is encrypting or should i just wait till its finished and then reboot its been running...
Solved Can I shut down my PC while BitLocker is encrypting? in AntiVirus, Firewalls and System Security
What would happen if my computer shuts down while BitLocker is encrypting my data partition drive? It takes ages! I am running Windows 10 Pro Thank you very much in advance
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 01:45.
Find Us