National Security authorities recommend hard disk encryption as an effective measure for protecting data on desktop clients and notebooks in a corporate environment. Many companies make use of BitLocker hard disk encryption provided by Microsoft. But what if you have forgotton your password when booting up or the hardware in the computer has been replaced and the system no longer starts? If that is the case then the only thing that can help is the BitLocker recovery key. Without it you will not be able to access your data. DriveLock BitLocker Management has important additional security options, that can help without exposing the recovery key and risking a misuse of this key.
What is the BitLocker recovery key and what is it used for?
The recovery key is a 48-digit numeric password related to a specific computer and is non-transferable. It is needed to unlock your computer if you or your administrator or the IT department has set up BitLocker hard disk encryption on your computer and it is required to unlock the hard disk – it is effectively the master key. In the event that the system cannot be unlocked during (pre-boot) authentication for various reasons, for example, when
- a user forgets his PIN or password when logging in
- after a hardware replacement or BIOS update, the system cannot confirm that the attempt to access the hard disk is authorized
How to find the Bitlocker recovery key?
The recovery key should be securely stored or managed in a central location in organizations:
- In Microsoft Active Directory along with the user/computer, or
- In the Microsoft Azure cloud for Active Directory accounts located in the Azure cloud.
- Best solution: encrypted in DriveLock managed database (when DriveLock BitLocker Management is used).
Case Scenario: Password for BitLocker Decryption is Forgotten
If a user forgets his BitLocker PIN, a Windows dialog box will appear after 3 failed attempts and ask for the user's recovery key.
In such a case, larger organizations usually require notifying an administrator who has permission to view the recovery key. The administrator can use Microsoft tools to display the key and send it to the user in encrypted form (e.g. by email to another device) or read it out over the phone. From a technical point of view, when a hard disk is encrypted with BitLocker, a so-called protector is created. The recovery key is used to "unlock" this protector. If the user enters the recovery key, the protector is automatically unlocked and the hard drive is decrypted.
This recovery key is now known to the user and this is a security risk.
DriveLock BitLocker Management provides additional security
If an organization uses DriveLock BitLocker Management, in addition to centrally managing all security features in ONE management console, it has the following advantages that provide additional security:
- When the administrator or authorized person displays the recovery key in the DriveLock console, the DriveLock agent sends a command to the computer to replace the old key with a new one after the next boot. DriveLock automatically stores the new key centrally and securely in the DriveLock database.
- DriveLock BitLocker Management enables key change at regular intervals (e.g. in 30/60/90 days). A new protector is generated at the set interval which results of a corresponding new recovery key. The risk of an unauthorized person gaining access to the hard disk using a previously known recovery key can thus be significantly reduced because each key has a limited validity period.
- In DriveLock Operations Center (DOC), the central interface for information, analysis and configuration activities in daily operations, the group of people who have access to the recovery key can be restricted. Unlike Microsoft's functionality, DriveLock allows you to revoke the right to view the recovery key from administrators who may have unrestricted global rights at Microsoft. This also applies to DOC administrators.
More Convenience with DriveLock Pre-Boot Authentication (PBA)
When a company uses DriveLock's own Pre-Boot Authentication there are additional benefits if the password is lost or forgotton:
- DriveLock uses a challenge-response authentication method for secure key issuance. A user submits a challenge code to the administrator or authorized person, who then generate an appropriate response with an unlock code. The user uses this code (response) to log on to the PBA.
The recovery key is not required for this process and is therefore not issued, which provides additional security.
- DriveLock Self Service Portal allows users with login problems to BitLocker to determine the recovery key themselves and have it sent. An administrator is no longer needed to assist the user. This self-service set up is configured with alternative and secure login methods available with DriveLock.