You probably have lots of keys in your life -- a house key, a car key, an office key. Each of these keys fits a different lock. Windows BitLocker™ Drive Encryption also has different key and lock combinations. Just as you wouldn't leave your car keys laying out in public or sitting in the ignition while you go into the grocery store, you should handle and store your BitLocker keys equally carefully, especially the recovery password.
As an end-user or IT Professional, you will handle three types of keys, out of the many in BitLocker:
- Recovery password
- TPM ownership password
- TPM+ keys (officially called “TPM key protectors”)
For now, think of BitLocker as the door between your data and the world. The door may have several types of locks on it, which are opened with different keys.
When you start BitLocker, you will be asked to create a recovery password.
The recovery password works like a door key that you have hidden offsite in case you lock yourself out. This key could open all the locks in your building. For BitLocker, the recovery password is stored away from the computer, either on a USB flash drive, or as a 48-digit number that can be entered by the user. In a business environment, the recovery passwords are usually kept in Active Directory Domain Services. This recovery password is the key that will allow you to unlock your drive and get your data, even if your startup information has changed. With the recovery password, a burglar could get into your data without you even knowing!
The TPM is like a lobby in an office building. Most of the time, you can walk right in and through the foyer and proceed to your office. However, if the building is secured for some reason, the foyer door is locked. Conceptually, the TPM chip in your computer works in a similar way. The “inside door” is the Windows logon process. If the TPM detects changes to the key startup components in your system, it puts the “building” into lockdown – which means that BitLocker will require the recovery password to unlock the drive.
For extra security, use a TPM+ key. You can configure BitLocker with a PIN or a startup key (cryptographic key information stored on a USB flash drive). Either of these adds a second factor of authentication, as you might use two locks on your door.
The PIN works like a numeric key pad on a high-security door, reinforcing the door lock. The PIN is known by the user and entered at startup. If the wrong PIN is used, or if the PIN cannot be provided, the information remains locked.
The startup key is like a deadbolt on the door. The startup key must be found on a USB flash drive at computer startup. If the wrong Startup key is used, or if the Startup key is missing, the information remains locked.
Using your BitLocker keys will soon become as automatic as any of the other keys in your life. In many scenarios, using the BitLocker keys will be totally transparent and seamless.
Note to security and crypto-types: There are more than three types of keys in BitLocker, of course. They are not covered in this overview, but if you want more information, see the BitLocker Technical Overview. That document has a much fuller description of keys and cryptographic structures that are not meant to be handled by the user or administrator, but are used to secure the data.