How do I ensure that BitLocker can't be bypassed with a recovery key?

I want to encrypt my hard drive using BitLocker, but it requires me to create a recovery key. Now, I understand why this is important, as there may be cases where my password alone can't unlock the drive, such as if the user profile gets corrupted. The problem is that if a determined thief gets my hard drive, then they might be able to get my recovery key as well, assuming I actually keep it in my house, on my person, or anywhere remotely connected to me. Of course, if my password is STILL required to unlock the drive, then the thief can't access my data. However, if the recovery key ALONE can unlock the drive, then there's absolutely nothing to stop the thief from accessing my data. It would be like a burglar entering somebody's house using a key from underneath a potted plant.

What am I missing? How do ensure, on the one hand, that I won't ever be locked out of my data so long as I remember my password, and on the other hand, that I'm not creating something that a thief could use to bypass my password.

Note: I'm not using TPM.

Steohawk

Posted 2016-02-18T23:13:17.060

Reputation: 35

1recovery key can only be made after entering the correct password, once you make the key store it in a safe place. If they steal your drive they cannot make another recovery key unless they have the current password. – Moab – 2016-02-18T23:16:57.513

1Delete it. If it doesn't exist it cannot be used. – Ramhound – 2016-02-19T01:39:53.623

Answers

Short answer: Store your recovery key in a safe place. Maybe, for you, that's Google Drive, a flash drive you keep on your key-chain, or in an email you send to yourself.

The thief cannot generate a recovery key unless they are logged in to your computer. If they steal the drive without first getting the recovery key or your password than Bitlocker is doing it's thing.

What you're asking for is 'how can I make a key which no one else can use which lets me get in if I forget my password' and the short answer is you can't. If you make the key, make it hard to find. If you don't make the key, don't forget your password. I

t's a common trade off in security: ease of use <--> strength of security

As @Ramhound said. The additional/secondary use of the recovery key is if the hardware the drive was connected to changed. You would need it to access the data at that point.

Per @user1751825 "There is one other situation where you may require the recovery key. If you need to unlock your drive using the command line manage-bde utility I believe you may need the recovery key."

Abraxas

Posted 2016-02-18T23:13:17.060

Reputation: 3 704

2Don't email it to yourself. This is nowhere near secure enough. Bitlocker provides the option to upload to your one-drive account. This would be preferable to storing it in an email. – user1751825 – 2016-02-18T23:27:33.593

@user1731825 As with most things, it's relative. If it's a personal laptop you don't care a tremendous amount for an you work at a company with intense email security, it's pretty low risk. Another use case is running your own exchange/postfix server where you manage the security. If you trust it enough, what is wrong with using it? I agree it's less ideal but it's also not a physical thing and it may avoid cloud storage. – Abraxas – 2016-02-18T23:50:16.443

1Even disregarding the potential security implications, email isn't designed to be a general purpose storage system. It's too easy to accidentally delete or misplace things. I know a lot of people do it, but it's really not something that should be encouraged. Like storing things in the recycle bin for later retrieval. – user1751825 – 2016-02-19T00:00:20.807

Again, was just providing an answer. I don't agree with using it for storage but people do and with the increase in availability of archive mailboxes and things like that it is not the 'worst' idea. But I would absolutely say to the OP not to store it in email. – Abraxas – 2016-02-19T00:02:00.613

1I agree. It's not the worst idea, but there are simpler, safer options which really aught to be considered first. – user1751825 – 2016-02-19T00:05:55.427

@user1751825 no disagreement here :) – Abraxas – 2016-02-19T00:06:48.020

Thanks for the answer, but I want to clarify that I'm not worried about forgetting the password. In fact, I've had it memorized for quite some time now, and if I'm using it on a regular basis to unlock my hard drive, then I'll be forcing myself to keep said memory fresh. If that's the only purpose of a recovery key, then I'd rather not have one at all. Are there any OTHER reasons? Are there situations where my password wouldn't be sufficient to unlock the hard drive? If so, then I suppose I could create a recovery key file and encrypt it with my password, ensuring that only I could read it. – Steohawk – 2016-02-19T01:03:18.933

If for any reason the password stops using or the hardware (TPM) is changed then it would be required. – Ramhound – 2016-02-19T01:42:41.877

The poster has indicated TPM isn't used. – user1751825 – 2016-02-20T04:20:59.210

There is one other situation where you may require the recovery key. If you need to unlock your drive using the command line 'manage-bde' utility I believe you may need the recovery key. – user1751825 – 2016-02-20T04:23:35.613

Thanks @user1751825 I didn't know about that one so I have added it to the answer! – Abraxas – 2016-02-20T04:25:15.530

The recovery key is only needed if you forget your password, so requiring the password when using the recovery key would be counter intuitive. If you're certain you'll never forget your password, then you don't need to keep the recovery key. This is risky though. I think simply keeping the recovery key in a secure location should be sufficient.

Update... The manage-bde command line utility only works with the recovery key, not the password. It unlikely in normal use to need this utility though.

user1751825

Posted 2016-02-18T23:13:17.060

Reputation: 846

If you type manage-bde -unlock -help, then you can see that recovery key is not only option for unlock. -Password is one of supported options. – user364455 – 2016-02-20T05:06:13.973

@PetSerAl That's true. However it does have limitations. This parameter doesn't accept a password at the command line, but opens a prompt dialog to allow the user to enter the password. This means it cannot be used in the windows recovery environment for example. Also if you need to script the lock/unlock command, to have it run non-interactive, you'll need the recovery password/key, as the -Password option will not work. – user1751825 – 2016-02-20T09:59:19.830

But you still can use wmic for scripting: wmic /namespace:\\Root\CIMV2\Security\MicrosoftVolumeEncryption path Win32_EncryptableVolume where DriveLetter='X:' call UnlockWithPassphrase Passphrase='Password' – user364455 – 2016-02-20T10:25:29.747

@PetSerAl Thanks for that. I was unaware of this alternative means of scripting. it looks very interesting. – user1751825 – 2016-02-20T11:29:21.480

Why not take the recovery file and encrypt it? Using another passphrase you definitely won't forget, that's different from the "main" bitlocker passphrase you're trying to protect.

Using PGP/GPG or LUKS or even TrueCrypt (still) should be safe.

Then it would be much safer to upload it to some online storage, but if something damages your computer (fire, theft, etc) then there's no real reason to keep the recovery file off-site anyway (it's useless without the then-unavailable bitlocker data)

Xen2050

Posted 2016-02-18T23:13:17.060

Reputation: 12 097

-1

Store the key in your microsoft account. Only those who have access to your microsoft account can get the key. If you can't log in to your computer, use another nearby computer or laptop to go here

https://support.microsoft.com/en-us/instantanswers/566e0e4e-4ca7-4df2-88fb-aa71c00ea55e/find-my-bitlocker-recovery-key

Here is the instruction straight from microsoft

Places to look for your BitLocker key:
On a printout you saved. Look in places you keep important papers.
Saved on a USB flash drive. Plug the USB flash drive in to your locked PC and follow the instructions. If you saved the key as a text
file on the flash drive, use a different computer to read the text file. In your Microsoft account. To get your recovery key, go to BitLocker Recovery Keys.

Or ask someone for help:
Ask someone with administrator privileges on the same PC to unlock it with their key.
If your PC is connected to a domain (usually a work or school computer), ask a system administrator for your recovery key.
If you still can't get in, you'll need to reset your PC. Learn how.

it's similar with putting it in google drive or dropbox but I think it's much better. In google drive you may forget where you store the key. In google drive this is just another text file that may be lost somewhere.

With microsoft they don't just store it on onedrive (which is microsoft's dropbox btw). You won't see the key on your one drive. Microsoft have a special place to store the key just for you. So it's not just another text file. It's really a special feature made by the one company that makes the bitlocker system. It's much more easily found. It's more secure. You need to verify your identity on the phone first before you can sign in. And you got it on text, not just text file.

Also if you have several keys or hundreds of computer, microsoft will name the computer where each key belong.

If you save it on google drive you just have to try it one by one I guess. Yea technically the recovery key has file name you can match too. Still, it's far more convenient to get a key under the name of Jim-PC instead of key 12234-fdfdg-blabla-blublu

You basically store the key with the same account you use to log in to your computer. The only way you will fail is if you forget pass to that account but that means you can't logged in to your computer anyway. If you are me, I may have several google drive not necessarily linked to my microsoft account. So I think it's just more appropiate to use microsoft key using microsoft service.

user4951

Posted 2016-02-18T23:13:17.060

Reputation: 3 015

How is this different from storing it on Google Drive? – Ramhound – 2016-10-07T13:56:32.923