Opening up BitLocker, part 2 – Recovery Keys

Written by

Last time  I covered an introduction to BitLocker, the Trusted Platform Module (TPM) and what TPM does to assist in keeping your system secure. This time I'm writing about the most important aspect of BitLocker management – Recovery Keys (and Recovery Passwords too). 

While one of the great strengths of the TPM is providing protection against attacks on your system, the cost of this approach is evident when the TPM decides that any number of innocuous events might be part of an attack. The result – it enters what's known as "recovery mode."  Recovery mode stops the necessary keys from being unsealed, preventing the system from continuing to boot. At this point you'll need to supply the recovery key/password in order to bring the TPM out of recovery mode and keep going. 
So what are recovery passwords/recovery keys?  Where do I get them and where should I keep them?

[Quick note – I generally use the term recovery password, but the password can also referred to as a recovery key. The two terms are used interchangeably by a lot of people, including Microsoft. In some documents I've seen the recovery password stored on a USB device referred to as the recovery key.  Whatever it's called, it's essentially the same thing – the string of numbers needed to get the TPM out of recovery mode.]

The recovery password is a random 48-digit string created when BitLocker is first enabled on the system. Once it's created, you have the option to save it in any number of ways – some better than others. I'll cover them below. Whatever you decide is right for you, make sure you keep that recovery password handy.

So you have your recovery password; now you need to keep it somewhere safe. Microsoft, by default, offers the following four choices:

  • Print it out
  • Write it down
  • Store it as a file on a USB device
  • Store it in Active Directory

The first two are probably fine if it's your home PC, but for enterprise customers, those choices should be included for humor only. The third option, storing the recovery password on a removable drive, is more feasible but invites a lot of calls to the help desk starting with "My PC won't boot and I've lost that thumb drive thing you gave me." It's your choice of course.

So is AD your best bet? Well, kind of. First, you will need to make sure that your system is on the domain when you enable BitLocker. Second, and more significant, you're going to have to live with your AD admins having access to the recovery password for every system on their domain. And that can be a problem. Not only is it introducing a lot of new risk, it probably breaks whatever segregating of duties policies you had in place, and worse, shoots down any hopes of FIPS compliance that you might be entertaining. Storing the recovery passwords in Active Directory is certainly, in my opinion, better than the other options, but it's clearly far from a best practice.

The good news is that there are a number of solutions available that address this problem by enabling more secure management of your recovery passwords. And, for the sake of full disclosure, I work for one of them. There are others out there, and interestingly Microsoft has announced the availability of a tool (MBAM) to help address this problem (and a couple of others), although purely focused on BitLocker, of course.

In the event that the system does go into recovery mode, and you’ve retrieved your recovery password from the post-it note taped carefully to the underside of your drawer (you didn't think anyone knew?) then you can enter it and the system will continue to boot. The recovery password will take some time to enter (it's 48 digits long, after all) and Microsoft generally recommends you use the function keys to do it (which avoids problems with international keyboards). 

(There is some good news, the system will do some basic validation on each group of 6 digits, although you won't know if you got the whole thing right until you enter the final set of 6.)

Once the recovery key is entered, the TPM will unseal the volume key which, in turn, allows BitLocker to decrypt your system. The TPM will also be able to take a new snapshot of your configuration at this point, which means that if you have changed something that caused it to enter recovery mode, at least next time you should be fine.

Ok, in my next post I'm going to discuss where I think BitLocker will best fit in your enterprise and where it may not. In the meantime, here's a recent whitepaper on BitLocker Management. Be aware you'll need to register to get it.

What’s hot on Infosecurity Magazine?