Share via

BitLocker 101 Questions

Anonymous
2024-12-14T03:21:43+00:00

I need to encrypt my laptop, usb drives and some external drives. I don't want to encrypt a drive and find out at a later date that the data is no longer accessible. For example, we have all probably encrypted drives and as time passes and equipment changes we discover drives are no longer accessible.

Basic BitLocker questions are as follows.

Laptop system consists of 4 SSD drives. The OS and Programs are on one drive and the other drives contain data.

  1. I understand the BitLocker Key is saved in my Microsoft Account. Can I download the 48 digit key and delete the key in my Microsoft Account so it is protected if my account is breached.
  2. If my OS system goes south, I will be able to recover by data drives with the BitLocker Key or password. Is my understanding correct?
  3. If backups are made to external drives while running the backup program from a bootable USB Drive, how long does it take to disable BitLocker?
  4. If the OS drive goes south, can the BitLocker Key be reinstalled or do the data drives need to be unlocked and BitLocker reinstalled on all drives?
  5. Does the BitLocker key remain unchanged over the life of the OS? What would cause BitLocker to generate a new key?
  6. Is the BitLocker key for an external drive the same as the OS BitLocker Key?
  7. Is there a good reference site that outlines issues and resolutions associated with BitLocker?
  8. Is the 48 digit recovery key the same for all fixed and removable drives that were locked with the OS?
  9. Can a removable drive have its own 48 digit recovery key and password?
  10. Is the BitLocker drive password unique for each fixed and removable drive?

*** Moved from Windows / Windows 11 / Security and privacy ***

Windows for business Windows Client for IT Pros Devices and deployment Recovery key

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-12-16T08:04:55+00:00

    Hello wep1,

    thank you for posting on the Microsoft Community Forums.

    BitLocker is a powerful tool for encrypting drives, but it's important to fully understand its functionality to avoid any data accessibility issues. Here are the answers to your questions:

    1. Downloading and Deleting the BitLocker Key:
      • Yes, you can download the 48-digit BitLocker Recovery Key. However, once it is deleted from your Microsoft account, you must store it securely elsewhere (e.g., physical printout, encrypted USB drive). If you lose this key, there will be no way to recover your encrypted data.
    2. Data Recovery with BitLocker Key:
      • Yes, your understanding is correct. Even if your OS goes south, you can access your data drives using the BitLocker Recovery Key or password. You can unlock the drives on another system using these keys.
    3. Disabling BitLocker for Backups:
      • Disabling BitLocker (decrypting the drive) can take considerable time depending on the drive size and speed. However, you don't need to disable it for backups. Instead, you can pause BitLocker or suspend protection temporarily, which is a quicker process.
    4. BitLocker Key Management with OS Issues:
      • If your OS drive fails, you can use the BitLocker Recovery Key to unlock the data drives on another system. BitLocker doesn't need to be reinstalled. You just need to ensure you can access your recovery keys.
    5. Stability of the BitLocker Key:
      • The BitLocker Recovery Key remains unchanged over the life of the OS unless you manually regenerate a new one or reset it. Situations that might require a new key generation include changes in hardware, TPM firmware updates, or manual key reset.
    6. BitLocker Keys for External Drives:
      • No, the BitLocker Recovery Key for an external drive is not the same as the OS drive key. Each drive encrypted with BitLocker gets its own unique recovery key.
    7. Reference Site for BitLocker Issues:
      • A good reference site for BitLocker issues and resolutions is the official Microsoft BitLocker documentation. You can find it on Microsoft's website under the support and security sections.
    8. Unique Recovery Key for Fixed and Removable Drives:
      • Yes, each fixed and removable drive locked with BitLocker can have its own 48-digit recovery key and password. Each drive is managed separately.
    9. Unique BitLocker Passwords:
      • Yes, each fixed and removable drive can have a unique BitLocker password. This allows for individual security management for each drive.

    By following these points, you can ensure that your encrypted data remains accessible and secure. Always keep multiple copies of recovery keys in secure locations to avoid data loss.

    Hope it helps.

    Best regards,

    Lei

    0 comments
  2. Anonymous
    2025-01-04T18:55:34+00:00

    Thank you for your reply. It is very informative. I have a follow up to my questions #3 and #5 and another question.

    Question #3

    I currently backup my internal computer drives with software from a leading software provider using a bootable external USB drive. The program on the bootable external USB drive is likely written in Linux, not that it matters. I also have an external drive connected to the computer to store the backup. If I backup a drive encrypted with BitLocker and reinstall the backup, will the drive be usable? The backup software has the option of making an image backup of the drive, which may be an alternative. In the past, I have been hesitant of making image backups.

    In the alternative, I could perform a backup while running Windows 11 Pro and backup to the external drive, so the backup file is encrypted by the third-party software. The external drive would not be encrypted with BitLocker but encrypted with the backup software using the same encryption method as BitLocker. This may be the better alternative for drive backups due to the fact that I could use the same password for the external drives. Best practice may necessitate disconnecting from the network while the performing the backup.

    File explorer has the option of locking a file, folder or drive. Is that the same as being encrypted with BitLocker?

    Question #3a

    With respect to an external encrypted hard drive connected to the computer, at what point in time is the BitLocker password entered? Upon boot, is the password requested for the external drive? If the drive is connected after boot, is the password requested upon connection of the external drive? Can a network drive (used only by one computer) be protected by BitLocker? If so ditto, on entering password.

    Question #5

    Once you install BitLocker, how do you know it is actually functioning properly with respect to all connected drives? Is there a key combination you can use to display the BitLocker status or is it displayed in file explorer. It was indicated that a change in hardware and TPM might affect BitLocker. Would there be a warning generated? If there is a change, would the internal drive password and key remain the same? In the event of a change, would you need to remove the drives from the system and use another computer to decrypt the drives, which could then be reinstalled and encrypted?

    Question #10

    It is my understanding that the laptop encryption key must be initially placed in my Microsoft account. However, I can delete the key from my account for personal security reasons, but I assume that the key can be resurrected for the benefit of a third party. Is that a correct understanding? How do you set the computer policy so that keys for external drives are not transmitted to my Microsoft account nor stored on my computer?

    Thank you

    0 comments