3

BitLockerVolume -MountPoint C).KeyProtector I see multiple RecoveryPassword key protectors, how do I know which one is active?

If I pull the HDD and plug it into another machine its going to ask me for one of those keys, but how do I know which key ID it will ask for?

Edit: So this is my concern, I know multiple keys can be active but when prompted by Windows it asks for ONE SPECIFIC KEY ID: enter image description here

So how do I know which key ID it will ask for AND can I just give it any of the active keys on this screen? Its asking for a specific one, if I give it a different one its going to be cool with that?

red888
  • 4,351

1 Answers1

8

TL;DR

Any of the RecoveryPassword / Numerical Password type protectors will unlock the volume encryption key, and thus unlock the volume. In a BitLocker recovery scenario BitLocker will prompt for the first RecoveryPassword / Numerical Password type protector key ID added and in the test outlined below the 48 digit password for the not requested RecoveryPassword / Numerical Password protector key ID was accepted.

EDIT: Tested on Windows 10 Build 1511 using an external USB drive with two Numerical Password / RecoveryPassword protectors - no other protectors (of any type) present. Windows prompts for a key ID and I entered the 48 digits for the other key ID and Windows unlocked the drive. Seemingly smarts are under the hood to try all active Numerical Password / RecoveryPassword protectors when a 48 digit string is entered during recovery - not just against the requested key ID. YMMV with other combinations / versions. Try it.

manage-bde.exe -protectors -get c: will list the active protectors (however many are present on the volume), display Numerical Password ID's and the 48 digit password(s).

Protectors can be removed using manage-bde.exe and Remove-BitLockerKeyProtector.

Additional Background

  • An AES128 symmetric encryption key is used to encrypt the volume itself. To change this volume encryption key requires re-encrypting the entire volume.
  • BitLocker does not ever change the volume encryption key (unless BitLocker is disabled [not suspended], and then re-enabled. To protect the volume encryption key BitLocker adds layer(s) to protect it - called protectors (think encryption for the volume encryption key)
  • Various types of protectors exist. Any single protector can unlock the volume encryption key on its own.
  • The Numerical Password protector (according to manage-bde.exe) is also known as the RecoveryPassword according to Get-BitLockerVolume) - same concept just different nouns from different tools.
  • The Numerical Password / RecoveryPassword is the 48 digit number that is used during BitLocker recovery.
  • More than one protector of type Numerical Password / RecoveryPassword can be active on a volume.
Weaver
  • 1,992