Solved

BitLocker - Purpose of creating Password and Recovery Key

Posted on 2013-11-19
10
742 Views
Last Modified: 2013-11-20
Hi,
 
 What is the purpose of creating both password and Recovery key during encryption process?
 After writing down the password and encrypting my USB flash drive, I took it off the computer and plugged the flash drive into another computer.
 It only asked for the password to access the contents of the flash drive, not both password and Recovery key,

 When I took the encrypted hard drive (that has OS) out of the computer and attached it to another PC, it asked for the recovery key and I entered it manually. Then the computer started loading OS on the hard drive(encrypted in another computer).

 Can someone explain why in one case it prompts for the password and another case it prompts for recovery key?
0
Comment
Question by:sglee
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 3

Accepted Solution

by:
uniqueinfotech earned 200 total points
ID: 39661327
Bit locker uses the TPM chip on your computer to store the decryption key and they protect that with a password. In the event that you go to a new computer that doesn't store the keys in the TPM it will require the full keys to unlock and decrypt the contents
0
 

Author Comment

by:sglee
ID: 39661338
so the reason this computer only asked for the password (when I plugged encrypted flash drive) was because it has TPM installed? (In fact it has TPM.  I entered tpm.msc and it came up).
So if this computer did not have TPM installed, would it have prompted me to enter Recovery key?
0
 

Author Comment

by:sglee
ID: 39661375
I plugged this flash drive to three separate PCs with XP OS. They all displayed a popup window saying "Do you want to format the drive?".
So I bring it back to my Windows 7 PC (not the original PC where I encrypted the flash drive) and it asked for the password. When I clicked the link "I forgot the password", it asked for Recovery key.

Why XP PCs (they don't have TPM) reacts differently than my Win7 PC?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 39661543
Because xp does not have bitlocker, nor bl-reader.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 39661663
More info: bitlocker will request the recovery password for different reasons, mainly if it discovers that the drive is not at the pc it originally belonged to. See it this way: if I were to attack your drive in order to steal data, I might find the drive is encrypted. What now? I could hook the drive to my computer and try cracking tools from there - that is security relevant, so bitlocker reacts and enforces the use of the (compared to a normal password) stronger recovery key. If I were a mean attacker, I would exchange your computer for another model looking just the same, same mainboard, but modified at BIOS level (for example vnc server turned on at BIOS level - yes, that's possible with some boards!), I would be able to spy on you. Bitlocker would discover changes to the BIOS, too and ask for the recovery key just to make you aware "something odd is going on".

about the Bitlocker reader: you can download it for xp, see http://blogs.technet.com/b/keithcombs/archive/2009/11/17/bitlocker-to-go-reader-now-available-for-download.aspx
Win7 already features a built-in reader.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 3

Assisted Solution

by:uniqueinfotech
uniqueinfotech earned 200 total points
ID: 39661736
The TPM functions among other things as a secure store for encryption keys. It allows software to securely store such information in a manner that prevents other software from accessing this information under any circumstances, ie, you can put information in but you can't ask it for the information back.

Bitlocker uses this technology to store the encryption keys. However since the TPM chip is a hardware device that is unique to each computer when you move to a new device you'll have to essentially teach the TPM chip of that computer the same information that you told the TPM chip of the first computer. Which is why your required to enter the longer version of the password aka recovery key.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 39662658
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39662925
@RichRumble
>...Which is why your required to enter the longer version of the password aka recovery key.
No. Even without a TPM present/in use the behavior is the same.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39662987
I didn't say that :p
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39663015
:p Sorry :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSH over http/https 8 109
please tell me windows 1-10 7 61
Not showing JavaScript in the list 5 38
Copy dir and files with robocopy 2 34
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now