Solved

BitLocker - Purpose of creating Password and Recovery Key

Posted on 2013-11-19
10
750 Views
Last Modified: 2013-11-20
Hi,
 
 What is the purpose of creating both password and Recovery key during encryption process?
 After writing down the password and encrypting my USB flash drive, I took it off the computer and plugged the flash drive into another computer.
 It only asked for the password to access the contents of the flash drive, not both password and Recovery key,

 When I took the encrypted hard drive (that has OS) out of the computer and attached it to another PC, it asked for the recovery key and I entered it manually. Then the computer started loading OS on the hard drive(encrypted in another computer).

 Can someone explain why in one case it prompts for the password and another case it prompts for recovery key?
0
Comment
Question by:sglee
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 3

Accepted Solution

by:
uniqueinfotech earned 200 total points
ID: 39661327
Bit locker uses the TPM chip on your computer to store the decryption key and they protect that with a password. In the event that you go to a new computer that doesn't store the keys in the TPM it will require the full keys to unlock and decrypt the contents
0
 

Author Comment

by:sglee
ID: 39661338
so the reason this computer only asked for the password (when I plugged encrypted flash drive) was because it has TPM installed? (In fact it has TPM.  I entered tpm.msc and it came up).
So if this computer did not have TPM installed, would it have prompted me to enter Recovery key?
0
 

Author Comment

by:sglee
ID: 39661375
I plugged this flash drive to three separate PCs with XP OS. They all displayed a popup window saying "Do you want to format the drive?".
So I bring it back to my Windows 7 PC (not the original PC where I encrypted the flash drive) and it asked for the password. When I clicked the link "I forgot the password", it asked for Recovery key.

Why XP PCs (they don't have TPM) reacts differently than my Win7 PC?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 39661543
Because xp does not have bitlocker, nor bl-reader.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 39661663
More info: bitlocker will request the recovery password for different reasons, mainly if it discovers that the drive is not at the pc it originally belonged to. See it this way: if I were to attack your drive in order to steal data, I might find the drive is encrypted. What now? I could hook the drive to my computer and try cracking tools from there - that is security relevant, so bitlocker reacts and enforces the use of the (compared to a normal password) stronger recovery key. If I were a mean attacker, I would exchange your computer for another model looking just the same, same mainboard, but modified at BIOS level (for example vnc server turned on at BIOS level - yes, that's possible with some boards!), I would be able to spy on you. Bitlocker would discover changes to the BIOS, too and ask for the recovery key just to make you aware "something odd is going on".

about the Bitlocker reader: you can download it for xp, see http://blogs.technet.com/b/keithcombs/archive/2009/11/17/bitlocker-to-go-reader-now-available-for-download.aspx
Win7 already features a built-in reader.
0
 
LVL 3

Assisted Solution

by:uniqueinfotech
uniqueinfotech earned 200 total points
ID: 39661736
The TPM functions among other things as a secure store for encryption keys. It allows software to securely store such information in a manner that prevents other software from accessing this information under any circumstances, ie, you can put information in but you can't ask it for the information back.

Bitlocker uses this technology to store the encryption keys. However since the TPM chip is a hardware device that is unique to each computer when you move to a new device you'll have to essentially teach the TPM chip of that computer the same information that you told the TPM chip of the first computer. Which is why your required to enter the longer version of the password aka recovery key.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 39662658
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39662925
@RichRumble
>...Which is why your required to enter the longer version of the password aka recovery key.
No. Even without a TPM present/in use the behavior is the same.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39662987
I didn't say that :p
-rich
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39663015
:p Sorry :)
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HP Probook 4555b WWAN Card 2 27
Window update errors on VMs 9 22
Outlook 2010 meeting recurrances 26 11
Windows 7 temp directory filling up with CAB files... 7 25
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question