Windows 10: [BitLocker] Encrypting without generating recovery key?

Hi,

is there a way to encrypt a BitLocker drive without generating a recovery key?

Other encryption tools such as DiskCryptor/VeraCrypt/TrueCrypt or those found on Linux can simply be used with one PIN, no recovery key required.

BitLocker also allows to encrypt using a PIN. But, even when using a PIN, it still always seems to require to generate a recovery key in addition.

Is it possible to disable recovery keys altogether? So that only a PIN is set up to encrypt the drive and nothing else?

Why would you want a recovery key anyway, when you are already using a PIN? Why would you want to generate two passwords (PIN + recovery key) instead of just one password (only PIN without any recovery key)?

:)

 

Can't use BitLocker on Tablet to encrypt system drive C:

on my Tablet (TrekStor SurfTab Duo W1 WiFi) i upgraded Windows 10 Home to Windows 10 Pro specially to be able to use BitLocker.

now it turns out, that BitLocker isn't able to encrypt my internal system drive C:

to me for an unknown reason.

i know, because the tablet doesn't have a permanent keyboard attached, BitLocker may see that as not fulfilling the minimum requirement.

but i can force to ask for a PIN via BitLocker policies.
but BitLocker always give me that error message after a check:

"[Window Title]
BitLocker Drive Encryption

[Main Instruction]
BitLocker could not be enabled.

[Content]
The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically.

C: was not encrypted.

[Close]

"

the strange thing is, if i force BitLocker to use a PIN and BitLocker starts to check the system, after a reboot i get the mask that ask me for the PIN as expected - so that part is working, but after login, i get again that error message.

and when i do the encryption of drive c: without let BitLocker check the system first, after a reboot, i'll get asked for the PIN - so far so good, but then after the it looks like Windows will boot as usual, windows boots into recovery mode and prepares the
recovery decryption of drive C: and asking me for the long BitLocker recovery key.
so, what the **** is going on. why isn't BitLocker working on that system drive on my Tablet?

system recovery is enabled and working,

TPM 2.0 is avtive and working - that's, what tpm.msc is telling.

the PIN is working as well, when i want to have a PIN.
BitLocker can encrypt and unlock encrypted external drives and SD cards without any problems.

i only have trouble with system drive C:

any hints, how i can manage BitLocker encrypting my system drice C: ?

 

Bitlocker Encryption Issue

I encrypted a drive partition with bitlocker encryption in windows 10, but I had to downgrade to windows 8 because of my Mmx 352g data card is not working on windows 10 on my laptop (i.e. Lenovo Thinkpad L420).

Now I am not able to open my drive with the same password I encrypted with as well as with the recovery key generated at the time of encryption.

 

BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS describes what the recovery key is used for

If you don't anticipate any of those scenarios happening to you then just destroy any copies of the recovery key - it's not like someone is going to brute-force a 128-bit key.

 

Sorry, but, this would not solve the issue, because:

When having destroyed all copies of the recovery key and when BitLocker would trigger a recovery event (due to a firmware upgrade without having suspended first or due to a Secure Boot issue or due to whatever), then the machine would boot up asking for the recovery key.

What do you do then when you have destroyed all copies of the recovery key *Smile?

 

Then it would be the same as if you lost your Veracrypt key - you're screwed.

 

Sorry, no offense, but you do not seem to understand.

For VeraCrypt there's just one PIN (let's call it PIN, can also be a password of course). It needs to be entered upon boot or when decrypting the drive. It's just one PIN.

On Linux and Android, there's also just one PIN that you need to enter upon boot or when you want to decrypt the drive.

On VeryCrypt / Linux / Android there's no additional 48 digit recovery key. There's just the PIN you enter upon boot and that's it.

BitLocker also allows to set a PIN (or password) which you can enter upon boot or when decrypting the drive.

HOWEVER: With BitLocker there's also another 48 digit recovery key in addition by default. So there are two PINs.

Is there any way to disable that 48 digit additional recovery key so that BitLocker can be used with just one PIN only?

 

Edit: See later posts

I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

The actual encryption/decryption key is 128 bits. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

The recovery key is also 128 bits and is unrelated to the encryption key. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

So whether you attack the actual key or the recovery key, you have the same probability of success.

There's no way to skip generation of the recovery key but it is literally just a random number.

Edit: Sorry, I take that back. You can disable the recovery password in group policy.

 

No offense either but you don't understand how bitlocker works.

You don't need a pin at all. You can define one or not as you wish. You can require TPM or not. You can require (or not) a USB or smartcard.

Now if you are connected to AD you can stop recovery using recovery key but @PolarNettles was right the first time. It is generated. If you are on a domain it can be saved on the server and only unlock in that case.

If you set up a PIN it will ask for it. If you change the BIOS or whatever it will ask for the recovery key. Your PIN is insufficient. You can disable this (and the drive will only unlock if you are also connected to a domain) but no you can not say "PIN will always unlock". It won't.

The point is a drive will only unlock if nothing has changed and you know your PIN, have put in your smartcard etc etc. If you changed boot order in BIOS then your PIN will not work. You will have to enter the recovery key (from somewhere).

If you haven't recorded the recovery key (and can't get it from domain server or Microsoft.com) then you are, as mentioned before, screwed.

 

No, that is wrong.

Because it's not possible to tell Windows to never ask for the recovery key.

If that would be possible, then yes, you could destroy every copy of the recovery key. But since Windows will ask for the recovery key (when you typed the PIN incorrectly too often or when you changed a BIOS setting without suspending BitLocker, or when Secure Boot triggers a recovery for example), you can not simply destroy every copy of the recovery key.

This thread is about how to disable the recovery feature altogether.

No, it is not just a random number, see above.

Unfortunately that is also wrong.

When selecting "Do not allow 48-digit recovery password", you have to use a 256-bit recovery key on a USB flash drive instead.

When trying to disable both:





Trying to enable BitLocker will result in:





So, you either have to allow the 48-digit recovery password and save it as a TXT file or print it or you have to allow the 256-bit recovery key and save it on a USB flash drive.

You can not use a PIN/password without using a 48-digit recovery password and without a 256-bit recovery key.

This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.

 

You can not. Hope that is clearer.

 

Okay, then, since you pointed out that I would not understand how BitLocker works:

Can you please explain to us why exactly BitLocker can not work with just one PIN/password like it is being done on VeraCrypt / Linux / Android etc.?

Why does it depend on a recovery mechanism whereas others do not?

 

The recovery key is actually a random number: BitLocker recovery password details System Integrity Team Blog

You are correct in that you still need the recovery key in case of some BIOS/TPM change. I'll strike out that part from my earlier post to remove confusion.

Veracrypt does not use the TPM. Therefore its keys are stored on the drive itself. I am not too familiar with how Linux encryption is done but it looks like dm-crypt/LUKS don't use the TPM either.

Bitlocker does store the keys in the TPM. And if the PCRs change (due to a BIOS/HW/bootloader change) then the TPM won't unseal the encryption key. That's why you need the recovery key.

 

Sorry, but wrong again *Smile.

BitLocker can also be used without having a TPM and that is actually what I want to do *Smile.

So, why do I need to make use of BitLocker's recovery mechanism even if I do not have a TPM and use a PIN instead *Wink?

 

With a bit of know-how (that particular group policy really isn't intuitive), perhaps it would be possible to prevent the recovery events with the following group policy:





But there would probably still be a recovery event in case the PIN gets typed wrong too many times.