Like This Blog 3

Added by Steve Fullmer July 22, 2013

The Bitlocker key is the actual encryption key used to encrypt and decrypt the drive.

The Bitlocker PIN is a value/number you may create (optional) when you Bitlocker encrypt a drive so that you may block access to the system. This option is used when the key is stored in the TPM chipset on the system, suggesting that anyone may gain access to the drive while it is still installed within the system if they can access a user account on the system. The PIN is an additional layer of security, and does NOT recover the key if the key is lost or corrupted. The PIN may be required for recovery if you have enabled the Bitlocker PIN as a layer of access security. (This is the password that I reset in my Managing Bitlocker video.)

The Bitlocker Password is a 48 digit number generated at the time of Bitlocker drive encryption that may later be used to recreate the Bitlocker Key. This is the visible component of the value stored or printed when you recreate the Bitlocker Key on a drive to which you already have access. You are asked to print, display, or save the password to external media when you Bitlocker a drive. This password is input using the (F0-F9) function keys rather than numeric keys or keypad. As such, you only want to use this option as a last resort for recovery. You cannot reset or recreate this key unless you are managing a Bitlocker drive to which you already have access. If you lose this Recovery Password, and your PIN or Bitlocker Key, then the drive is unrecoverable.

Note that throughout the documentation from Microsoft, within my videos, and other documentation, the terms PIN and Password are often used interchangeably.  Think password versus Password. The Bitlocker PIN may be text or a phrase, is used as a layer of access control and as such is often referred to as a ‘password’. The Bitlocker (Recovery) Password is always numeric value (default 48 digits), stored with the Key, and numeric like a PIN. Formally labeled the Password; this is only used for recovery purposes, not access control.

Microsoft provides guidance for BitLocker Drive Encryption Technical Overview and BitLocker recovery keys: Frequently asked questions, that you should read before encrypting a drive using Bitlocker.

Brien Posey provides a simple but comprehensive overview for lost Bitlocker PINS and Keys How to recover from lost BitLocker PINs and startup keys as well. The summary: If you did not prepare to recover a Bitlocker drive, afterthought will not help you.

First focus: create an environment designed to manage Bitlocker and Bitlocker-to-Go™ encrypted drives. Without pre-determination, recovery can be a daunting or even impossible task.

Proactive steps:

• Create a Bitlocker management and recovery system hosted on Windows 7 Enterprise, Windows 7 Ultimate, or Windows 8 Enterprise. You need one of these Operating System environments to manage Bitlocker drives. While you may read Bitlocker drives on other systems, management is not possible.
• Use a 64-bit OS environment to affect your testing and management. Digitally signed drivers are important, and a 64-bit test environment assures that you are using signed device drivers compatible with the Windows 7 or Windows 8 environments, and better performance to affect Bitlocker management.
• The management system must have a TPM chipset, and TPM must be enabled in BIOS/UEFI. While you may Bitlocker a drive using non-TPM mode, you do not want to perform recovery using non-TPM mode. In fact, you cannot save the recovery key for a removable media drive on removable media. (You might be able to transport it via removable media within a recovery agent, but that is a separate consideration.)
• The management system should incorporate a USB 3.0 controller and multiple USB ports. Both USB 3.0 and 2.0 ports will enable a broader range of testing capabilities, although a USB 3.0 port will support USB 2.0 drives. USB 3.0 provides the IOPS you need to effectively manage Bitlocker drives.
• Create an Active Directory environment that includes Certificate Services OR acquire a Digital Certificate from an authorized third party Certificate Authority. Within this environment, use Group Policy to turn on a Recovery Agent for Bitlocker. Enable and test this environment to assure that your Bitlocker Credentials are being stored and are available for recovery before you begin to use Bitlocker in production.
• With Windows 8 you may store your recovery key using your Microsoft online account, though only if you are NOT in a domain attached environment.
• Create a corporate mechanism for storing the Bitlocker Password. Although the recovery mechanism is challenging, you want to assure that you store the Recovery Password in a secure location, associated with the PC and/or drive identity so that you can recover important business intellectual property should the drive every become locked.

Some reminders:

• Bitlocker Drive encryption requires the use of the Windows 7/8 Recovery Environment. This environment enables recognition of the Bitlocker drive under normal Bitlocker operation, and possible recovery of a Bitlocker drive should the key become lost or corrupted. Make certain that you understand use of and access to the Recovery environment for the Windows 7 or 8 OS.
• Learn the terminology associated with Bitlocker drive encryption. Recovery may be affected using a Personal Identification Number (PIN) or a recovery key What is a BitLocker recovery key? These are decidedly different components.
• Bitlocker drive encryption and recovery can take DAYS. You must be patient. When you enable (turn on) Bitlocker, all of the drive content is encrypted. The size of the drive, the volume of content to be encrypted, the IOPS for the device and the system, the amount of RAM installed, and the processor speed will each impact encryption performance.  For example, encrypting a 60 GB drive with the Windows 7 Enterprise OS, Microsoft office, and two user profiles (and no additional applications or data) required 24 hours to encrypt on a system meeting the minimum OS requirements. Disabling Bitlocker required almost the same amount of time. Recovery may take longer.
• Do Not Stop or Restart the Process of encryption or recovery once you have started. If you do, you might as well re-partition the drive.

Other suggestions:

• Acquire an external drive ‘clam-shell’ that will hold a mechanical drive, and another for Solid State Drives. Make sure both are USB 3.0 enabled. It may be possible to place a drive that has been Bitlocker encrypted into the ‘clam-shell’ and manage it from your dedicated management system IF you have the recovery key or certificate, or the associated Bitlocker password. You should test this process before you need it on a production drive, so that you understand all the components and sequence of steps. Stopping and restarting may not be a viable option.

Good luck!

Steven Fullmer
Interface Technical Training Staff Instructor