https://aka.ms/recoverykeyfaq – Microsoft Recovery Key FAQ

Aka.ms/recoverykeyfaq – Aka Microsoft recovery key, BitLocker recovery key or Windows recovery key is a special key automatically created when encrypting a particular drive with BitLocker drive encryption.

BitLocker recovery key is located in a .BEK file named like BitLocker Recovery Key: 444C8E16-4F23-45E7-96CE-3B3FA04D2189.BEK:

BitLocker recovery key format: 44334-315590-197472-399399-419595-387156-320562-361383

The BitLocker recovery key can be used in order to open your BitLocker drive when you lose the password or it is not working.

Aka.ms/recoverykeyfaq – Microsoft Recovery Key FAQ

Que. What is BitLocker recovery?

Answer: BitLocker Recovery is the procedure that allows you to gain access to a BitLocker protected drive if you cannot access the drive normally. If you are in a recovery situation, you’ll choose to restore access to your drive.

The user can provide his recovery password. Suppose your company permits the printing or save passwords for recovery. In that case, the user can enter the recovery password of 48 digits printed or saved on the USB drive or using the help of your Microsoft Account online. (Saving the recovery password using the help of your Microsoft Account online is only permitted when BitLocker is installed on a device which is not a member of an organization’s domain).
A data recovery service can utilize its credentials to open the drive. When the drive has an operating system, it has to be mounted data drive on another computer for the data recovery agent to unlock it.

Domain administrators can access the recovery password via AD DS and use it to unlock the drive. Saving recovery passwords to AD DS is advised to make it possible for IT professionals to get the recovery passwords of drives inside their company in the event of need.

This method requires that you have enabled this recovery method in the BitLocker Group Policy setting. Choose how BitLocker-protected operating system drives can be recovered located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives in the Local Group Policy Editor.

Que. Where can I find my BitLocker recovery key?

Answer: BitLocker ensured that the recovery key was securely stored before activating the protection. There are a variety of places where your recovery key could be, based on the decision made at the time of activating BitLocker:

In Your Microsoft accounts: Sign in to your Microsoft account using a different device to locate your recovery key. If you own a modern device that can support automatic device encryption, your recovery key is likely to be located in the account of your Microsoft account. For more information, refer to the device encryption feature within Windows.
NOTE: If the device was installed or a different user-activated BitLocker protection, the recovery key might be located in that account of the user’s Microsoft account.
On a printout: You may have printed your recovery key after BitLocker has been enabled. Check where you store important documents connected to the computer.
On a USB flash drive: Plug the USB flash drive into your computer and follow the steps. If the keys were saved as a text file on the flash drive, use an alternative computer to open it as a text file.
In the Azure Active Directory profile: If your device was ever logged into an organisation using an email account for a school or work account, your recovery code might be stored in that organisation’s Azure AD profile associated with the device. You might be able to access it from your device or speak with a system administrator to access your recovery key.
Held by your system administrator: If your gadget is linked to a domain (usually the school or work device), ask your system administrator to provide your recovery code.

Que. How can I authenticate or unlock my removable data drive?

Answer: You can unlock removable information drives using a password or smart card. Or, create a SID protector to unlock the drive using domain login credentials. After encryption has been activated, the drive will be unlocked automatically by a particular computer with a particular user’s account. Administrators can set the options available to users and the password complexity and length requirements. To open the door using a SID protector, you can use Manage-bde:

Manage-bde -protectors -add e: -sid domain\username

How can the recovery password and recovery key be stored?

Answer: The recovery password and the recovery key for operating system drives or a fixed disk drive can be saved to a file that is transferred to any of your USB devices, saved in the account of your Microsoft Account, or printed.

The recovery password and the recovery key can be saved to a folder stored in the Microsoft Account or printed for data drives with removable storage. It is not possible to keep a recovery key on removable drives on a removable drive in default.

Domain administrators can also create Group Policy to generate recovery passwords automatically and save the passwords inside Active Directory Domain Services (AD DS) for any BitLocker-protected drive.

Que. What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?

Answer: For tables that list and describe elements such as a recovery key, recovery password and PIN, see BitLocker key protectors and BitLocker authentication methods.

If I lose my recovery information, will the BitLocker-protected data be unrecoverable?

Answer: BitLocker is created to make the encrypted drive unrecoverable without the required authentication. The user requires the recovery password or recovery key to unlock the encrypted drive when in recovery mode.

Que. When should an additional method of authentication be considered?

Answer: New devices that meet Microsoft’s Windows Hardware Compatibility Program requirements make using a PIN-less important for mitigation purposes. An exclusive protector for TPM is likely to be adequate when combined with policies such as device lockout.

For instance, Surface Pro and Surface Book do not come with external DMA ports that could be attacked. For older devices, where the need for a PIN is likely in the future,

it’s suggested to enable upgraded PINs that support non-numeric characters like punctuation marks and letters and set the length of the PIN according to your tolerance to risk and the anti-hammering features of your hardware that are accessible to the TPMs of your computer.

Que. Can the USB flash drive that is used as the startup key also be used to store the recovery key?

Answer: Although this is technically possible, it’s not the best method to use just one USB flash drive to save both keys. When the USB flash drive, which holds your startup key, gets lost or taken away, you will also have to give up access to the recovery key. In addition, inserting the key will trigger your computer to automatically start from the recovery key regardless of whether the files measured by TPM have changed, which would bypass the TPM’s integrity test.

Que. Can I generate multiple PIN combinations?

Answer: You cannot generate multiple PIN combinations.

Que. What encryption keys are used in BitLocker? How do they work together?

Answer: Raw data is encrypted with the full volume encryption key and the volume master key. The volume master key is encrypted in several possible ways depending on your authentication (that is, key protectors or TPM) and recovery scenarios.

Que. How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?

Answer: A person’s personal ID number (PIN) may be obtained by an attacker using an attack using brute force. An attack using brute force happens when an attacker employs an algorithmic tool to attempt various PIN combinations until the right one is identified.

If BitLocker is protected, this kind of threat, also referred to as a dictionary attack, requires physical access to the system. The TPM is capable of recognizing and reacting to attacks of this kind.

Since TPMs of different manufacturers might have different PINs and attack mitigations, contact the manufacturer of your TPM to discover how your computer’s TPM can mitigate PIN attacks by brute force.

Once you’ve determined the manufacturer of your TPM, you can contact the manufacturer to obtain specific information about the vendor of your TPM. The majority of manufacturers utilize the failure count of PIN authentication to increase the lockout time exponentially for users of the interface. But, every manufacturer has its policies on how and when the failure counter can be reduced or reset.

Que. Where are the encryption keys stored?

Answer: The entire volume encryption keys are encrypted using the master volume key and kept in an encrypted drive. It is then encrypted using the appropriate key protector and is stored on the encryption drive.

If BitLocker is suspended, the clear key used to decrypt volumes master keys is kept in an encrypted drive, and the volume master key is encrypted.

This storage method makes sure that the master volume key is not stored in plain text and is secured until you disable BitLocker. The keys are stored in two other places on the drive for redundancy. Keys can be processed and read in the boot management system.

Also Check: