3

BitLockerVolume -MountPoint C).KeyProtector I see multiple RecoveryPassword key protectors, how do I know which one is active?

If I pull the HDD and plug it into another machine its going to ask me for one of those keys, but how do I know which key ID it will ask for?

Edit: So this is my concern, I know multiple keys can be active but when prompted by Windows it asks for ONE SPECIFIC KEY ID: enter image description here

So how do I know which key ID it will ask for AND can I just give it any of the active keys on this screen? Its asking for a specific one, if I give it a different one its going to be cool with that?

red888
  • 4,069
  • 16
  • 58
  • 104
  • Not certain, but I believe you should be able to provide any of the protectors. – Zoredache Oct 18 '16 at 22:29
  • So thats what I'm confused about because windows will say, at the preboot screen, effectively "Give me the password for THIS KEY", I doubt it would accept a password for a different key ID – red888 Oct 18 '16 at 22:35
  • I am not sure that is true, but I have never been in a case where I had multiple recovery keys, and I didn't have access to the to the option that I was prompted for (since our recovery keys are published to AD). – Zoredache Oct 18 '16 at 23:39
  • 1
    Updated my answer. I tested a specific scenario and Windows 10 1511 accepted a 48 digit string that did not match the key ID requested for an external USB drive with only two Numerical Password protectors. In that case the answer is either 48 digit string will work, irrespective of key ID requested. – Weaver Oct 18 '16 at 23:52

1 Answers1

8

TL;DR

Any of the RecoveryPassword / Numerical Password type protectors will unlock the volume encryption key, and thus unlock the volume. In a BitLocker recovery scenario BitLocker will prompt for the first RecoveryPassword / Numerical Password type protector key ID added and in the test outlined below the 48 digit password for the not requested RecoveryPassword / Numerical Password protector key ID was accepted.

EDIT: Tested on Windows 10 Build 1511 using an external USB drive with two Numerical Password / RecoveryPassword protectors - no other protectors (of any type) present. Windows prompts for a key ID and I entered the 48 digits for the other key ID and Windows unlocked the drive. Seemingly smarts are under the hood to try all active Numerical Password / RecoveryPassword protectors when a 48 digit string is entered during recovery - not just against the requested key ID. YMMV with other combinations / versions. Try it.

manage-bde.exe -protectors -get c: will list the active protectors (however many are present on the volume), display Numerical Password ID's and the 48 digit password(s).

Protectors can be removed using manage-bde.exe and Remove-BitLockerKeyProtector.

Additional Background

  • An AES128 symmetric encryption key is used to encrypt the volume itself. To change this volume encryption key requires re-encrypting the entire volume.
  • BitLocker does not ever change the volume encryption key (unless BitLocker is disabled [not suspended], and then re-enabled. To protect the volume encryption key BitLocker adds layer(s) to protect it - called protectors (think encryption for the volume encryption key)
  • Various types of protectors exist. Any single protector can unlock the volume encryption key on its own.
  • The Numerical Password protector (according to manage-bde.exe) is also known as the RecoveryPassword according to Get-BitLockerVolume) - same concept just different nouns from different tools.
  • The Numerical Password / RecoveryPassword is the 48 digit number that is used during BitLocker recovery.
  • More than one protector of type Numerical Password / RecoveryPassword can be active on a volume.
Weaver
  • 1,932
  • 11
  • 12
  • Startup keys are also effectively recovery keys and there can also be multiple startup keys, all of which can work. – Greg Askew Oct 19 '16 at 13:10