Windows 10: [BitLocker] Encrypting without generating recovery key?

Discus and support [BitLocker] Encrypting without generating recovery key? in AntiVirus, Firewalls and System Security to solve the problem; Hi, is there a way to encrypt a BitLocker drive without generating a recovery key? Other encryption tools such as DiskCryptor/VeraCrypt/TrueCrypt... Discussion in 'AntiVirus, Firewalls and System Security' started by qp0615932, Jan 2, 2018.

  1. qp0615932 Win User

    [BitLocker] Encrypting without generating recovery key?


    Hi,

    is there a way to encrypt a BitLocker drive without generating a recovery key?

    Other encryption tools such as DiskCryptor/VeraCrypt/TrueCrypt or those found on Linux can simply be used with one PIN, no recovery key required.

    BitLocker also allows to encrypt using a PIN. But, even when using a PIN, it still always seems to require to generate a recovery key in addition.

    Is it possible to disable recovery keys altogether? So that only a PIN is set up to encrypt the drive and nothing else?

    Why would you want a recovery key anyway, when you are already using a PIN? Why would you want to generate two passwords (PIN + recovery key) instead of just one password (only PIN without any recovery key)?

    :)
     
    qp0615932, Jan 2, 2018
    #1

  2. Can't use BitLocker on Tablet to encrypt system drive C:

    on my Tablet (TrekStor SurfTab Duo W1 WiFi) i upgraded Windows 10 Home to Windows 10 Pro specially to be able to use BitLocker.

    now it turns out, that BitLocker isn't able to encrypt my internal system drive C:

    to me for an unknown reason.

    i know, because the tablet doesn't have a permanent keyboard attached, BitLocker may see that as not fulfilling the minimum requirement.

    but i can force to ask for a PIN via BitLocker policies.
    but BitLocker always give me that error message after a check:

    "[Window Title]
    BitLocker Drive Encryption

    [Main Instruction]
    BitLocker could not be enabled.

    [Content]
    The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically.

    C: was not encrypted.

    [Close]

    "

    the strange thing is, if i force BitLocker to use a PIN and BitLocker starts to check the system, after a reboot i get the mask that ask me for the PIN as expected - so that part is working, but after login, i get again that error message.

    and when i do the encryption of drive c: without let BitLocker check the system first, after a reboot, i'll get asked for the PIN - so far so good, but then after the it looks like Windows will boot as usual, windows boots into recovery mode and prepares the
    recovery decryption of drive C: and asking me for the long BitLocker recovery key.
    so, what the **** is going on. why isn't BitLocker working on that system drive on my Tablet?

    system recovery is enabled and working,

    TPM 2.0 is avtive and working - that's, what tpm.msc is telling.

    the PIN is working as well, when i want to have a PIN.
    BitLocker can encrypt and unlock encrypted external drives and SD cards without any problems.

    i only have trouble with system drive C:

    any hints, how i can manage BitLocker encrypting my system drice C: ?
     
    beta-tester, Jan 2, 2018
    #2
  3. Bitlocker Encryption Issue

    I encrypted a drive partition with bitlocker encryption in windows 10, but I had to downgrade to windows 8 because of my Mmx 352g data card is not working on windows 10 on my laptop (i.e. Lenovo Thinkpad L420).

    Now I am not able to open my drive with the same password I encrypted with as well as with the recovery key generated at the time of encryption.
     
    Harendra S. Ghanki, Jan 2, 2018
    #3
  4. [BitLocker] Encrypting without generating recovery key?

    PolarNettles, Jan 2, 2018
    #4
  5. qp0615932 Win User
    Sorry, but, this would not solve the issue, because:

    When having destroyed all copies of the recovery key and when BitLocker would trigger a recovery event (due to a firmware upgrade without having suspended first or due to a Secure Boot issue or due to whatever), then the machine would boot up asking for the recovery key.

    What do you do then when you have destroyed all copies of the recovery key *Smile?
     
    qp0615932, Jan 2, 2018
    #5
  6. Then it would be the same as if you lost your Veracrypt key - you're screwed.
     
    PolarNettles, Jan 2, 2018
    #6
  7. qp0615932 Win User
    Sorry, no offense, but you do not seem to understand.

    For VeraCrypt there's just one PIN (let's call it PIN, can also be a password of course). It needs to be entered upon boot or when decrypting the drive. It's just one PIN.

    On Linux and Android, there's also just one PIN that you need to enter upon boot or when you want to decrypt the drive.

    On VeryCrypt / Linux / Android there's no additional 48 digit recovery key. There's just the PIN you enter upon boot and that's it.

    BitLocker also allows to set a PIN (or password) which you can enter upon boot or when decrypting the drive.

    HOWEVER: With BitLocker there's also another 48 digit recovery key in addition by default. So there are two PINs.

    Is there any way to disable that 48 digit additional recovery key so that BitLocker can be used with just one PIN only?
     
    qp0615932, Jan 2, 2018
    #7
  8. [BitLocker] Encrypting without generating recovery key?

    Edit: See later posts

    I understand what you're saying. I am saying that disposing of the recovery key has the same effect as having just one PIN.

    The actual encryption/decryption key is 128 bits. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    The recovery key is also 128 bits and is unrelated to the encryption key. So a brute-force attack has a 1 in 2^128 chance of getting it correct.

    So whether you attack the actual key or the recovery key, you have the same probability of success.

    There's no way to skip generation of the recovery key but it is literally just a random number.

    Edit: Sorry, I take that back. You can disable the recovery password in group policy.

    [BitLocker] Encrypting without generating recovery key? [​IMG]
     
    PolarNettles, Jan 2, 2018
    #8
  9. lx07 Win User
    No offense either but you don't understand how bitlocker works.

    You don't need a pin at all. You can define one or not as you wish. You can require TPM or not. You can require (or not) a USB or smartcard.

    Now if you are connected to AD you can stop recovery using recovery key but @PolarNettles was right the first time. It is generated. If you are on a domain it can be saved on the server and only unlock in that case.

    If you set up a PIN it will ask for it. If you change the BIOS or whatever it will ask for the recovery key. Your PIN is insufficient. You can disable this (and the drive will only unlock if you are also connected to a domain) but no you can not say "PIN will always unlock". It won't.

    The point is a drive will only unlock if nothing has changed and you know your PIN, have put in your smartcard etc etc. If you changed boot order in BIOS then your PIN will not work. You will have to enter the recovery key (from somewhere).

    If you haven't recorded the recovery key (and can't get it from domain server or Microsoft.com) then you are, as mentioned before, screwed.
     
    lx07, Jan 2, 2018
    #9
  10. qp0615932 Win User
    No, that is wrong.

    Because it's not possible to tell Windows to never ask for the recovery key.

    If that would be possible, then yes, you could destroy every copy of the recovery key. But since Windows will ask for the recovery key (when you typed the PIN incorrectly too often or when you changed a BIOS setting without suspending BitLocker, or when Secure Boot triggers a recovery for example), you can not simply destroy every copy of the recovery key.

    This thread is about how to disable the recovery feature altogether.

    No, it is not just a random number, see above.

    Unfortunately that is also wrong.

    When selecting "Do not allow 48-digit recovery password", you have to use a 256-bit recovery key on a USB flash drive instead.

    When trying to disable both:


    [BitLocker] Encrypting without generating recovery key? [​IMG]


    Trying to enable BitLocker will result in:


    [BitLocker] Encrypting without generating recovery key? [​IMG]


    So, you either have to allow the 48-digit recovery password and save it as a TXT file or print it or you have to allow the 256-bit recovery key and save it on a USB flash drive.

    You can not use a PIN/password without using a 48-digit recovery password and without a 256-bit recovery key.

    This thread is about how to get rid of the 48-digit recovery password/256-bit recovery key requirement.
     
    qp0615932, Jan 2, 2018
    #10
  11. lx07 Win User
    You can not. Hope that is clearer.
     
  12. qp0615932 Win User
    Okay, then, since you pointed out that I would not understand how BitLocker works:

    Can you please explain to us why exactly BitLocker can not work with just one PIN/password like it is being done on VeraCrypt / Linux / Android etc.?

    Why does it depend on a recovery mechanism whereas others do not?
     
    qp0615932, Jan 2, 2018
    #12
  13. [BitLocker] Encrypting without generating recovery key?

    The recovery key is actually a random number: BitLocker recovery password details System Integrity Team Blog

    You are correct in that you still need the recovery key in case of some BIOS/TPM change. I'll strike out that part from my earlier post to remove confusion.

    Veracrypt does not use the TPM. Therefore its keys are stored on the drive itself. I am not too familiar with how Linux encryption is done but it looks like dm-crypt/LUKS don't use the TPM either.

    Bitlocker does store the keys in the TPM. And if the PCRs change (due to a BIOS/HW/bootloader change) then the TPM won't unseal the encryption key. That's why you need the recovery key.
     
    PolarNettles, Jan 2, 2018
    #13
  14. qp0615932 Win User
    Sorry, but wrong again *Smile.

    BitLocker can also be used without having a TPM and that is actually what I want to do *Smile.

    So, why do I need to make use of BitLocker's recovery mechanism even if I do not have a TPM and use a PIN instead *Wink?
     
    qp0615932, Jan 3, 2018
    #14
  15. qp0615932 Win User
    With a bit of know-how (that particular group policy really isn't intuitive), perhaps it would be possible to prevent the recovery events with the following group policy:


    [BitLocker] Encrypting without generating recovery key? [​IMG]


    But there would probably still be a recovery event in case the PIN gets typed wrong too many times.
     
    qp0615932, Jan 3, 2018
    #15
Thema:

[BitLocker] Encrypting without generating recovery key?

Loading...
  1. [BitLocker] Encrypting without generating recovery key? - Similar Threads - BitLocker Encrypting without

  2. Possible to Bitlocker a drive without a recovery key?

    in Windows 10 Ask Insider
    Possible to Bitlocker a drive without a recovery key?: Is it possible to bitlocker-encrypt a drive and not have a recovery key? Or perhaps make it longer then 48digits? submitted by /u/user_982396 [link] [comments] https://www.reddit.com/r/Windows10/comments/ehqgup/possible_to_bitlocker_a_drive_without_a_recovery/
  3. BitLocker Drive Encryption Recovery Key

    in AntiVirus, Firewalls and System Security
    BitLocker Drive Encryption Recovery Key: On Windows 10, I'm trying to set up a Bitlock Recovery Key and I accepted the Print option. On the print out I am being asked to compare the start of the identifier on the print out with the identifier on my computer to see if it matches. Where on the computer would I find...
  4. Bitlocker key or recovery key

    in Windows 10 Installation and Upgrade
    Bitlocker key or recovery key: Help, i turned off my Dell computer a few hours later after a update i tried to reboot my compter but its asking for a bitlocker key or recovery key. I spent 2.5 hours on the phone with Dell support than microsoft support to no avail. They are both blaming the other while im...
  5. BitLocker encrypted drive not unlocking with recovery key

    in Windows 10 Network and Sharing
    BitLocker encrypted drive not unlocking with recovery key: I encrypted an external hard drive a while ago and have since forgotten the password. I have the 48 digit recovery key saved to my computer as a notepad document. The problem I am having is that when I enter the 48 digit recovery key to unlock the drive nothing happens. No...
  6. Is there a way to generate Bitlocker recovery key with key ID?

    in AntiVirus, Firewalls and System Security
    Is there a way to generate Bitlocker recovery key with key ID?: Hello, I have a SD card, that I have encrypted with Bitlocker using win 7 from another PC. (Bitlocker to Go) I am sure that the password is 85% correct but Bitlocker doesn't accept it. I don't have on my outlook account or on my computer the recovery key. The recovery key...
  7. bitlocker recovery key

    in AntiVirus, Firewalls and System Security
    bitlocker recovery key: hi what is bit locker recovery key https://answers.microsoft.com/en-us/protect/forum/all/bitlocker-recovery-key/65c98469-a439-4b34-87bf-5b489e658898
  8. BitLocker Recovery Key

    in Windows 10 Installation and Upgrade
    BitLocker Recovery Key: I have a Dall Venue 11 tablet computer with a Windows 10 OS. Last summer a Windows automatic update to the tablet caused it to crash. I am unable to boot the computer. It does, though, display a screen titled "BitLocker" that prompts me to enter recovery key. The screen...
  9. bitlocker recovery key

    in Windows 10 Installation and Upgrade
    bitlocker recovery key: Hello everybody, I lost my bitlocker recovery key number from my lenovo tablet, during a update of windows bios. I try find in my onedrive windows and isn´t here. How can recovery my tablet?...
  10. Changing the BitLocker Recovery Key on an Already Encrypted OS drive?

    in AntiVirus, Firewalls and System Security
    Changing the BitLocker Recovery Key on an Already Encrypted OS drive?: Is there a way I can change the BitLocker recovery key to a new one on my encrypted OS drive? Do I need to first Suspend BitLocker to do so? Is there a tutorial on this here? Thanks 101007
Tags:

Users found this page by searching for:

  1. bitlocker could not be enabled the data drive specified

    ,
  2. The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically