How Do You Want to Recover BitLocker-Protected Drives?
Applies To: Windows 7, Windows Server 2008 R2
A recovery method is used when a drive cannot be accessed by using the normal BitLocker unlock method. Unlock can fail on an operating system drive when a PIN is forgotten, a startup key is lost, or if the Trusted Platform Module (TPM) registers changes in the system components that it monitors before allowing the computer to start. For fixed and removable data drives, a recovery method is used when a password is forgotten or a smart card is lost. Consider the following situations when choosing which recovery methods your organization will support:
Do you expect that users may need to recover information from drives when their computers are not connected to your domain; for instance, when a user is traveling?
Is it acceptable to your organization that recovery access to a BitLocker-protected drive requires a user to be physically present at the computer?
Do you want all users in your organization to be able to store their own recovery keys, or do you want your IT staff to be responsible for recovery key storage?
BitLocker recovery methods
The following table describes the recovery methods available for use with BitLocker.
| Recovery method | Description | User configuration options |
|---|---|---|
Recovery password (also known as a recovery key in the graphical user interface and numerical password in the Manage-bde command-line tool). |
The recovery password is a 48-digit numerical password that can be backed up to Active Directory Domain Services (AD DS). It can also be printed or saved to a text file. |
The password can be printed or saved to a file by the user. This functionality can be disabled by Group Policy. |
Recovery key |
The recovery key is a 256-bit key that can be saved to a USB flash drive. It is not available by default for removable data drives. It is Federal Information Processing Standard (FIPS) compliant. |
The location in which to save the recovery key must be specified by the user. |
Data recovery agent |
The data recovery agent is a public key that is distributed to all BitLocker-protected devices as configured by Group Policy. It is FIPS compliant. |
Data recovery agents cannot be configured by the user. |
Each drive type for BitLocker can have different recovery methods configured for it. Multiple recovery solutions can be configured for a single drive type. The following table lists the advantages and disadvantages for each recovery method.
| Recovery method | Advantages | Disadvantages | ||
|---|---|---|---|---|
Recovery password
|
|
|
||
Recovery key |
|
|
||
Data recovery agent |
|
|
.gif)
NoteChoosing recovery methods
The following flow chart provides an overview of the different recovery methods and the criteria that should be considered when selecting a recovery method.
.gif)
If you choose to support either the recovery password or the recovery key, you can use AD DS to store the recovery information. BitLocker integrates with AD DS to provide centralized key management for recovery information. When the recovery key methods are supported, users can print recovery information, save it to a file, or save it to a USB drive. However, this recovery information is not automatically provided to the system administrators by default, and no recovery information is backed up to AD DS. This means that being able to recover BitLocker-protected drives is solely the responsibility of the user. However, to be able to provide an administrative method to recover BitLocker-protected drives, you can configure Group Policy settings to enable the backup of BitLocker and TPM recovery information. Windows Server 2008 and Windows Server 2008 R2 include support for BitLocker recovery by default. If you are using domain controllers running Windows Server 2003, you must extend the schema first to provide storage locations in AD DS for BitLocker recovery data.
The following recovery data can be saved for each computer object:
Recovery password
A 48-digit recovery password used to recover a BitLocker-protected drive. Users enter this password to unlock a drive when BitLocker enters recovery mode.
Key package data
With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected drive if the drive is severely damaged. Each key package will only work with the drive it was created on, which can be identified by the corresponding BitLocker identifier.
TPM owner password hash
When ownership of the TPM is taken as part of turning on BitLocker, a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.
By default, domain administrators are the only users that can access BitLocker recovery information stored in AD DS. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment.
As a best practice, we recommend that you enable storing of BitLocker recovery information and key packages in AD DS. For more information about Active Directory configuration and BitLocker recovery, see the following resources:
BitLocker Drive Encryption Deployment Guide for Windows 7 (https://go.microsoft.com/fwlink/?LinkID=140286)
Scenario 15: Using the BitLocker Active Directory Recovery Password Viewer to View Recovery Passwords (https://go.microsoft.com/fwlink/?LinkId=164405)
Scenario 16: Using the BitLocker Repair Tool to Recover a Drive (https://go.microsoft.com/fwlink/?LinkID=164406)