Bitlocker recovery key insecure (?)
Hello, Im just reflecting over the way that Bitlocker handles recovery (not only in Windows 7 though). The use of a single static 48-digit recovery key seems really insecure. If a user gets locked out from his/her computer and calls helpdesk to get the recovery key, what stops the user from just writing it down? (to simplify things the next time he/she doesnt get access to the system) We all know that users are not always smart when it comes to store this kind of information (maby on a post-it next to the computer). Have I got this all wrong? Does Bitlocker reset the recovery key after each time it is used? else its a big security concern. The secure and proper way of dealing with recovery is through challenge/response where the user doesnt get any information that could lead to security breaches in the future. Cheers
April 2nd, 2009 11:18am

Hi MisterTWJ,You are correct there is nothing stopping someone from writing their code down, however as best practice or process wise, if someone rings up for the bit-locker key you could then decrypt and re-encrypt, subsequently generating a new key (which can be stored in AD) getting rid of the problem above. It's no different to a user cello taping their password to their monitor :)For more information on BitLocker, there are two good resources - one the BitLocker blog:http://blogs.technet.com/bitlocker/default.aspxAnd the other BitLocker on TechNet:http://technet.microsoft.com/en-us/library/cc766200.aspxHTH,Justin
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2009 2:08pm

My worries has been confirmed :). Of course you could decrypt and re-encrypt as you said but that seems kindof a big thing for a common task, but of course maby the only secure way and therefore best practice. Regarding the sources i think i go for the second one. Most recent post on the blog was back in 2006. Thanks for the answer
April 2nd, 2009 3:01pm

You wouldn't necessarily need to decrypt, you'd simply secure it with a new key, no?
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2009 6:19pm

Its simple to change the pin-key / usb-key, but can the machine recovery key be changed as easily? I have to do some more reading on this...
April 14th, 2009 10:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics