How Do You Want to Recover BitLocker-Protected Drives?

Applies To: Windows 7, Windows Server 2008 R2

A recovery method is used when a drive cannot be accessed by using the normal BitLocker unlock method. Unlock can fail on an operating system drive when a PIN is forgotten, a startup key is lost, or if the Trusted Platform Module (TPM) registers changes in the system components that it monitors before allowing the computer to start. For fixed and removable data drives, a recovery method is used when a password is forgotten or a smart card is lost. Consider the following situations when choosing which recovery methods your organization will support:

  • Do you expect that users may need to recover information from drives when their computers are not connected to your domain; for instance, when a user is traveling?

  • Is it acceptable to your organization that recovery access to a BitLocker-protected drive requires a user to be physically present at the computer?

  • Do you want all users in your organization to be able to store their own recovery keys, or do you want your IT staff to be responsible for recovery key storage?

BitLocker recovery methods

The following table describes the recovery methods available for use with BitLocker.

Recovery method Description User configuration options

Recovery password (also known as a recovery key in the graphical user interface and numerical password in the Manage-bde command-line tool).

The recovery password is a 48-digit numerical password that can be backed up to Active Directory Domain Services (AD DS). It can also be printed or saved to a text file.

The password can be printed or saved to a file by the user. This functionality can be disabled by Group Policy.

Recovery key

The recovery key is a 256-bit key that can be saved to a USB flash drive. It is not available by default for removable data drives. It is Federal Information Processing Standard (FIPS) compliant.

The location in which to save the recovery key must be specified by the user.

Data recovery agent

The data recovery agent is a public key that is distributed to all BitLocker-protected devices as configured by Group Policy. It is FIPS compliant.

Data recovery agents cannot be configured by the user.

Each drive type for BitLocker can have different recovery methods configured for it. Multiple recovery solutions can be configured for a single drive type. The following table lists the advantages and disadvantages for each recovery method.

Recovery method Advantages Disadvantages

Recovery password

Use of recovery passwords backed up to AD DS is a best practice.

  • Can be backed up to AD DS

  • Does not require IT physical presence

  • 48-digit password can be read over the phone by a help desk attendant

  • Users can print or save recovery passwords to a file, or this functionality can be disabled by Group Policy

  • Not FIPS compliant

Recovery key

  • FIPS compliant

  • Cannot be backed up to AD DS

  • Users may store USB drives with their computer

  • If the key to unlock the operating system drive is stored with the computer, the protection is rendered useless

  • USB drives could be lost

  • If users lose the USB drive with their recovery key, they will not have a recovery method

Data recovery agent

  • FIPS compliant

  • Automatically applied to drives

  • IT department personnel must be physically present

  • The private key must be used to recover the drive

  • The operating system drive must be installed on another computer running Windows 7 as a data drive

Choosing recovery methods

The following flow chart provides an overview of the different recovery methods and the criteria that should be considered when selecting a recovery method.

If you choose to support either the recovery password or the recovery key, you can use AD DS to store the recovery information. BitLocker integrates with AD DS to provide centralized key management for recovery information. When the recovery key methods are supported, users can print recovery information, save it to a file, or save it to a USB drive. However, this recovery information is not automatically provided to the system administrators by default, and no recovery information is backed up to AD DS. This means that being able to recover BitLocker-protected drives is solely the responsibility of the user. However, to be able to provide an administrative method to recover BitLocker-protected drives, you can configure Group Policy settings to enable the backup of BitLocker and TPM recovery information. Windows Server 2008 and Windows Server 2008 R2 include support for BitLocker recovery by default. If you are using domain controllers running Windows Server 2003, you must extend the schema first to provide storage locations in AD DS for BitLocker recovery data.

The following recovery data can be saved for each computer object:

  • Recovery password

    A 48-digit recovery password used to recover a BitLocker-protected drive. Users enter this password to unlock a drive when BitLocker enters recovery mode.

  • Key package data

    With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected drive if the drive is severely damaged. Each key package will only work with the drive it was created on, which can be identified by the corresponding BitLocker identifier.

  • TPM owner password hash

    When ownership of the TPM is taken as part of turning on BitLocker, a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.

By default, domain administrators are the only users that can access BitLocker recovery information stored in AD DS. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment.

As a best practice, we recommend that you enable storing of BitLocker recovery information and key packages in AD DS. For more information about Active Directory configuration and BitLocker recovery, see the following resources: