How to Use BitLocker Recovery Passwords

  • Article

Anyone who has tried enabling BitLocker has been greeted with a friendly dialog box insisting that you create a recovery password. At this point, you probably are thinking to yourself: “what is this recovery password, and what am I supposed to do with it?” 

 

First, let’s take a look at the BitLocker system. BitLocker has two major features: 1) it encrypts the hard drive to prevent offline attacks against lost or stolen laptops and 2) it takes measurements of the boot process to ensure the integrity of the system at start-up. These measurements detect attacks that try to get into your system before the OS loads.

If the measurements taken during start-up match the measurements taken when BitLocker was enabled, the system will boot into Vista as expected. If the measurements change, however, BitLocker will enter recovery mode. There are several scenarios that can cause these measurements to change. Some scenarios are harmless, like moving a BitLocker-protected drive into a new computer, while others are malicious, like a rootkit attack. For a more complete discussion of recovery scenarios, check out the BitLocker Technical Overview.

 

In recovery mode, encrypted data will not be unlocked unless you can present the recovery password, either by inserting a USB flash drive containing the recovery password or typing it in manually. Start-up PINs and keys will not work in recovery mode.

 

 This leads to two critical points:

Ø If you lose the recovery password and the system goes into recovery mode, the data is irretrievable.

Ø If an adversary gets your recovery password, he can make changes to your system and bypass BitLocker (this is equivalent to a thief learning your Windows XP administrator password or mothers’ maiden name).

 

So this leads to an interesting dichotomy: you want to preserve your recovery password, but not leave it accessible to an attacker. Taping your recovery password to your laptop is a bad idea. But what other backup options are available? Well, we have a few ideas:

Ø Save your recovery password on a USB drive, and put it on your key chain (or in a safe).

Ø Print out the recovery password and hide it away in a file folder.

Ø Burn the recovery password onto a CD (or floppy) and store that away in some safe place.

Ø BitLocker also supports automatic backup to Active Directory servers.

These are the recommended method for backing up recovery passwords in business scenarios.

Two things you should always remember about the BitLocker recovery password: back it up and keep it safe.