Open Sesame: BitLocker Recovery Passwords

  • Article

Anyone who has tried enabling BitLocker will have been greeted with a friendly dialog box insisting that you create a recovery password. I remember the first time I saw this, I found myself asking, “what is this recovery password, and what am I supposed to do with it?”

Let’s first take a look at the BitLocker system. BitLocker has two major features: 1) it encrypts the hard drive to prevent offline attacks against lost or stolen laptops and, 2) it takes measurements of the boot process to ensure the integrity of the system at start-up. These measurements detect attacks that try to get into your system before the OS loads.

If the measurements taken during start-up match the measurements taken when BitLocker was enabled, the system will boot into Vista as expected. If the measurements change, however, BitLocker will enter recovery mode. There are several scenarios that can cause these measurements to change. Some scenarios are harmless, like moving a BitLocker-protected drive into a new computer, while others are malicious, like a rootkit attack. For a more complete discussion of recovery scenarios, check out the BitLocker Technical Overview.

In recovery mode, encrypted data will not be unlocked unless you can present the recovery password, either by inserting a USB flash drive containing the recovery password or typing it in manually. Start-up PINs and keys will not work in recovery mode.

 This leads to two critical points:

· If you lose the recovery password and the system goes into recovery mode, the data is irretrievable.

· If an adversary gets your recovery password, he can make changes to your system and bypass BitLocker. This is equivalent to a thief learning your Windows XP administrator password or mothers’ maiden name.

So this leads to an interesting dichotomy: you want to preserve your recovery password, but not leave it accessible to an attacker. Taping your recovery password to your laptop is a bad idea. But what other backup options are available? Well, we have a few ideas:

· Save your recovery password on a USB drive, and put it on your key chain (or in a safe).

· Print out the recovery password and hide it away in a file folder.

· Burn the recovery password onto a CD (or floppy) and store that away in some safe place.

· BitLocker also supports automatic backup to Active Directory servers. This will be the recommended method for backing up recovery passwords in business scenarios.

 

Two things you should always remember about the BitLocker recovery password: back it up and keep it safe.

For a related music selection:

                ‘N Sync – “I Want You Back” from the album “’N Sync” (1998)

- Jonathan Rhodes