Bitlocker question

I have some Bitlocker questions

1. How does Bitlocker use the TPM, does it store the recovery key in the TPM. What if your machine does not have a TPM?
2. What happens if the TPM fails and you are prompted for a recovery code. What happens? I notice that it would keep prompting me for the recovery code 3x and then display a recovery screen where it indicated automatic repair is not possible.
3. When you enter the recovery code, does it actually decrypt the drive? The reason is after I am in the recovery screen I have the option of booting into safe mode. If th drive has't been decrypted, how can that even happen?
4. What triggers the recovery code. This seems to happen a lot more often than the other OS.
5. Any tips of living with Bitlocker? I would like ecryption but is a bit scared of being locked out. Currently I do daily backup and save the recovery code. Is there anything else I can do?

AshForeth said:

I have some Bitlocker questions

1. How does Bitlocker use the TPM, does it store the recovery key in the TPM. What if your machine does not have a TPM?
2. What happens if the TPM fails and you are prompted for a recovery code. What happens? I notice that it would keep prompting me for the recovery code 3x and then display a recovery screen where it indicated automatic repair is not possible.
3. When you enter the recovery code, does it actually decrypt the drive? The reason is after I am in the recovery screen I have the option of booting into safe mode. If th drive has't been decrypted, how can that even happen?
4. What triggers the recovery code. This seems to happen a lot more often than the other OS.
5. Any tips of living with Bitlocker? I would like ecryption but is a bit scared of being locked out. Currently I do daily backup and save the recovery code. Is there anything else I can do?

Click to expand...

1) The key is embedded somewhere on both drive and BIOS. I say that because you can actually move the drive to a different PC, and if you've got the recovery key, you can still access the drive. Been there, done that.

2) DO NOT LOOSE YOUR RECOVERY KEY!!! If you loose your recovery key you will not be able to access the drive's contents and will be forced to wipe (reformat) the drive, (and thus loose the contents) in order to use the drive again. Been there, done that

3) Not clear on this question - what you do mean you need to boot into "Safe Mode"

4) Things like a BIOS change, hardware change, even something done to the OS. Normally, the drive will automatically unlock when you boot into the PC (OS drive). For Data drives, using a password, there's an option to auto unlock when booting into the PC as well (in keeping things simple).

5) If using a Microsoft Account to log into your PC, when setting up BitLocker, you are asked where you want to install the key (can't be installed on encrypted drive). My suggestion is to install in your Microsoft Account. This way you have it in a secure place when/if you need it. There are also other placement options (again, not on the encrypted drive) so wherever you store, again, do not loose.

Many will opine resetting the TPM will erase the keys, and allow access, No it will not. Also, and obviously for security reasons, Microsoft will not provide any tools or help in recovering any lost keys, so again, don't lose. Been there done, done that.

If you have further questions, please ask.

• Turn On BitLocker for Operating System Drive in Windows 11 | Windows 11 Forum
• Find BitLocker Recovery Key in Windows 11 | Windows 11 Forum
• Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB in Windows 11 | Windows 11 Forum
• Change how BitLocker Unlocks OS Drive at Startup in Windows 11

I assume when you say recovery key is the one saved to the MS account? That particular key is saved to both the NAS and teh password manager and both are backed up and have off-site backup. I think we are good on that one. I guess my fear is that it will change without me knowing due to a configuration change.

If the TPM is erase, can you use the recovery key in your MS account to recover?

As for the safe mode, this is based on the issue I encountered recently.

1. The laptop boots with a prompt for the bitlocker recovery key. The system indicating that it cannot read from the TPM.
2. I enter the recovery key, the laptop restarts and prompts for the recovery key again warning again that it can't read from the TPM.
3. I enter the recovery key, the laptop restarts and prompts for the recovery key again.warning again that it can't read from the TPM.
4. After the recovery key entry, Windows no longer boots into the recovery key prompt but goes into the Windows recovery mode. Windows informed me that it is doning automatic repairs but fails. Windows goes into recovery mode if it falls to boot 3 times.

At this point, I notice that in the recovery mode, I can go into the command line or boot to safe mode. While In safe mode or the command line I can access the drive's content, which means it is decrypted. I am just wondering if you enter the recovery key, the drives get decrypted and it stays that way?

The recovery key unlocks the drive. It does not decrypt the contents.

pseymour said:

The recovery key unlocks the drive. It does not decrypt the contents.

Click to expand...

Is the decryption key stored in the TPM? If the TPM fail, tthen the recovery key won't help because all it does is unlock the drive but not decrypt it?

The TPM does not have the keys.

The contents of the drive, the actual bits and bytes, are encrypted with a full volume encryption key (FVEK).

The FVEK is secured by encrypting it with a Volume Master Key (VMK). This is so you can change the VMK if it gets compromised, without having to decrypt and encrypt the entire disk.

The VMK is further protected by Key Protectors (KPs). Key protectors are things like the TPM or a password. So, you can change those or lose them or whatever, and still unlock your drive, as long as you still have one method to access the VMK… a recovery key for example. If you lose all your KPs, e.g. the TPM blows up and the dog eats your recovery key, you have no access to the VMK, so no way to unlock the drive.

AshForeth said:

I assume when you say recovery key is the one saved to the MS account? That particular key is saved to both the NAS and teh password manager and both are backed up and have off-site backup. I think we are good on that one. I guess my fear is that it will change without me knowing due to a configuration change.

Click to expand...

As I said, you can choose to save wherever (except the encrypted drive), but I STILL recommend you save it to your Microsoft account as well. Nothing preventing you from saving it to multiple places

AshForeth said:

If the TPM is erase, can you use the recovery key in your MS account to recover?

Click to expand...

If you read my pose, on your first #1) I stated "you can actually move the drive to a different PC, and if you've got the recovery key, you can still access the drive. Been there, done that". So that says (means) the key is somehow also embedded on the drive. I have no how's and whys answers, I just know from doing this, it works. That said, best to keep the drive with the original drive in case something has changed.

AshForeth said:

As for the safe mode, this is based on the issue I encountered recently.

1. The laptop boots with a prompt for the bitlocker recovery key. The system indicating that it cannot read from the TPM.
2. I enter the recovery key, the laptop restarts and prompts for the recovery key again warning again that it can't read from the TPM.
3. I enter the recovery key, the laptop restarts and prompts for the recovery key again.warning again that it can't read from the TPM.
4. After the recovery key entry, Windows no longer boots into the recovery key prompt but goes into the Windows recovery mode. Windows informed me that it is doning automatic repairs but fails. Windows goes into recovery mode if it falls to boot 3 times.

Click to expand...

If you're getting a "cannot read from TPM" notice there's an issue. What/why, I don't know. Have you messed with the setting... did a reset?

My advice is to never reset the credential of the TPM on an active machine. Some may differ, so.... Microsoft also doesn't recommend unless absolutely required for security reasons. All that said, regarding this question....

AshForeth said:

At this point, I notice that in the recovery mode, I can go into the command line or boot to safe mode. While In safe mode or the command line I can access the drive's content, which means it is decrypted. I am just wondering if you enter the recovery key, the drives get decrypted and it stays that way?

Click to expand...

@pseymour has answered your question - The recovery key unlocks the drive. The data itself is not encrypted, just the drive.

pseymour said:

The TPM does not have the keys.

The contents of the drive, the actual bits and bytes, are encrypted with a full volume encryption key (FVEK).

The FVEK is secured by encrypting it with a Volume Master Key (VMK). This is so you can change the VMK if it gets compromised, without having to decrypt and encrypt the entire disk.

The VMK is further protected by Key Protectors (KPs). Key protectors are things like the TPM or a password. So, you can change those or lose them or whatever, and still unlock your drive, as long as you still have one method to access the VMK… a recovery key for example. If you lose all your KPs, e.g. the TPM blows up and the dog eats your recovery key, you have no access to the VMK, so no way to unlock the drive.

Click to expand...

So let me see if I understand this properly.

• Full Volume Encryption Key (FVEK) handles the encryption and decryption of the data.
• Volume Master Key (VMK) handles the encryption and decryption of FVEK, allow FVEK to be stored on the encrypted volume.
• Key protector (KP) protects the VMK by encrypting its own copy of VMK which is stored on disk.You would have separate copies for TPM and recovery key.

So in the scenario I list in my post, I indicated that I was able to access my laptop in safe mode even though I did not enter a recovery key and it couldn't access the TPM. Is the reason that when I enter the recovery key, windows decrypt the drive?

You’re mostly correct. The drive does not get decrypted, it gets unlocked. The contents are still encrypted, but you can see them.

The data is decrypted on-the-fly but only in memory with the FVEK which is a symmetric key. Symmetric encryption is much faster. Part of the reason for the dual keys VMK and FVEK

pseymour said:

You’re mostly correct. The drive does not get decrypted, it gets unlocked. The contents are still encrypted, but you can see them.

Click to expand...

So you can view the file directory but the file is still encrypted?

AshForeth said:

So you can view the file directory but the file is still encrypted?

Click to expand...

No. Bitlocker encrypts the entire volume, including the directory structure, filenames, file metadata, everything. When you unlock a volume, Bitlocker presents the volume to you as if it were unencrypted without writing unencrypted data back to the volume; it does everything on the fly, as needed, and the data on the drive remains encrypted.

I don't know what you observed in Safe Mode. My PCs either use TPM plus another protector like a USB key or a password if they lack a TPM. Windows is unable to unlock the system drives unless I provide the correct protectors when I boot, assuming protection hasn't been suspended. Safe Mode has no special powers in this respect.

barreleye said:

No. Bitlocker encrypts the entire volume, including the directory structure, filenames, file metadata, everything. When you unlock a volume, Bitlocker presents the volume to you as if it were unencrypted without writing unencrypted data back to the volume; it does everything on the fly, as needed, and the data on the drive remains encrypted.

I don't know what you observed in Safe Mode. My PCs either use TPM plus another protector like a USB key or a password if they lack a TPM. Windows is unable to unlock the system drives unless I provide the correct protectors when I boot, assuming protection hasn't been suspended. Safe Mode has no special powers in this respect.

Click to expand...

Ok, I think I got it. So being unlock allow someone to view encrypted content. I am thinking that the laptop has a TPM only policy so when the TPM malfunction, the system prompts me for a recovery key but doesn't let me boot normally. If I enter the key 3 times, it starts booting into recovery mode without prompiting for the recovery key. I am guessing that Windows leaves the volume unlock but only allow boot into safe mode. This is why I can access the files in safe mode without entering the recovery key.