Drive Encryption dangers

For those that encrypt their drives (especially when using BitLocker) make darn sure you not only get a decryption key (BitLocker Recovery Key), but that you know where it is, and have it backed up. I’d swore I baked my key up in my MS Account, but lo and behold… it’s not there.

Long story short, I did a BIOS update, which in turn caused the system to ask for my BitLocker key on bootup. Nothing new and this wouldn’t have been an issue had I had my key.  I didn’t, because it wasn’t where it should have been…. backed up to my Microsoft Account; something I’ve done countless times in the past. Oddly enough though the key hadn’t gotten backed to my MS Account.

That said, I saw a post online that says if you have a school account attached to your PC, the key may have gotten stored on the Azure Active Directory. Just checked my account and it’s not there either.

So now I have to wipe the drives in order to access them, and clean install Windows and all my programs. Luckily, though I have an online backup solution that allows for continuous backups, so I won’t lose any critical files… just a lot of wasted time.

Bottom line, no matter the encryption method you use, double check you have a decryption key and you know where it is else, you’ll be required to wipe the drive (and data) in order to use it again. Assumptions gets you headaches. Lesson learned.

The drive on my new Surface Pro 6 also had Bitlocker turned on by default. I didn't realize it until I tried to change something and it asked me for a Bitlocker key. Luckily I was able to go into settings and simply turn BL off.

It was strange since I thought I remembered during the initial setup - it asked if I wanted it enabled and I clicked No.

Austinian wrote:

My understanding of BitLocker is far from complete, but does this problem apply only to PCs that don't have a TPM?

First there is no "problem" per se other than I simply lost my recovery key.

With that I'm not sure how to answer your question as I use both TPM and BitLocker.

refusenik wrote:

The same could apply to any new Windows PC with BitLocker enabled - the lesson is: check that the machine id associated with the encryption key is that same as your machine id.

This is a custom built machine I did, so it was up to me to use BitLocker or not. It's not an automatic thing. Laptops usually come with BitLocker enabled for security reasons - stolen laptop for example.

refusenik wrote:

In a similar vein, I found that my MS Surface Pro 4's main drive came BitLocker encrypted and when I checked the recovery key and printed it, I found that the machine ID associated with the encryption wasn't the same as my Surface's actual machine id, so I guess the recovery key wouldn't have worked if I needed it.

Be aware that when you're asked for your BitLocker recovery key you'll be presented with an Identifier code which corresponds to the key you're looking for...

Old (no longer in use) BitLocker Recovery Key.

This is useful if you have many keys.

rb0321 wrote:

The drive on my new Surface Pro 6 also had Bitlocker turned on by default. I didn't realize it until I tried to change something and it asked me for a Bitlocker key. Luckily I was able to go into settings and simply turn BL off.

I've seen instances where you can tell the PC to ignore the BL request (especially if it's NOT the OS drive) or there were minor hardware changes. However a BIOS update would generate a BL request, especially if the BL dive is the OS drive. And you can not boot under you supply the recovery key.

Also, (as I just found out) If you created a recovery disk from a BL drive, it'll also need the recovery key to work

It was strange since I thought I remembered during the initial setup - it asked if I wanted it enabled and I clicked No.

I've never seen that at all, and as noted earlier, I just did a complete reinstall of the OS.

BTW Microsoft will be of no help here and will tell you that if you've lost your recovery key you'll need to wipe the drive. Bottom line... Don't lose your recovery key!!!

sygnus21 wrote:

rb0321 wrote:

The drive on my new Surface Pro 6 also had Bitlocker turned on by default. I didn't realize it until I tried to change something and it asked me for a Bitlocker key. Luckily I was able to go into settings and simply turn BL off.

I've seen instances where you can tell the PC to ignore the BL request (especially if it's NOT the OS drive) or there were minor hardware changes. However a BIOS update would generate a BL request, especially if the BL dive is the OS drive. And you can not boot under you supply the recovery key.

Also, (as I just found out) If you created a recovery disk from a BL drive, it'll also need the recovery key to work

It was strange since I thought I remembered during the initial setup - it asked if I wanted it enabled and I clicked No.

I've never seen that at all, and as noted earlier, I just did a complete reinstall of the OS.

BTW Microsoft will be of no help here and will tell you that if you've lost your recovery key you'll need to wipe the drive. Bottom line... Don't lose your recovery key!!!

That definitely sucks and has gotta be frustrating!

The Surface Pro here was still on 1803 when I first powered it up, so it quickly went through two major system upgrades, and a BIOS upgrade, so it may have gotten turned on somewhere along the line.

It's not likely, but I suppose possible that I just clicked the wrong thing during setup. In any case I don't keep sensitive info on my internal drive so just leave BL off.

rb0321 wrote:

That definitely sucks and has gotta be frustrating!

The Surface Pro here was still on 1803 when I first powered it up, so it quickly went through two major system upgrades, and a BIOS upgrade, so it may have gotten turned on somewhere along the line.

Just looked this up, but yeah, Microsoft is doing something different with Surface Pro's so yeah, it's possible you had an setting asking for it to be enabled. Normally though BitLocker can only be enabled through the Control Panel... Device encryption in Windows 10

It's not likely, but I suppose possible that I just clicked the wrong thing during setup. In any case I don't keep sensitive info on my internal drive so just leave BL off.

It's not necessarily about sensitive info but more about keeping your data safe should your PC get stolen.

Austinian wrote:

Basically I'm wondering if it's possible to lose a key that's stored in the TPM.

I'm no an expert here, but even if the key is installed in the TPM module you can't access it. And you certainly aren't accessing anything through Windows since you can't access a locked drive.

sygnus21 wrote:

rb0321 wrote:

That definitely sucks and has gotta be frustrating!

The Surface Pro here was still on 1803 when I first powered it up, so it quickly went through two major system upgrades, and a BIOS upgrade, so it may have gotten turned on somewhere along the line.

Just looked this up, but yeah, Microsoft is doing something different with Surface Pro's so yeah, it's possible you had an setting asking for it to be enabled. Normally though BitLocker can only be enabled through the Control Panel... Device encryption in Windows 10

It's interesting that the Surface Pro 6 with Win 10 Home has BitLocker capability at all. According to Microsoft online forums the version enabled on my device will only encrypt/decrypt the boot drive and nothing else, so not a full version anyway.

In any case I don't keep sensitive info on my internal drive so just leave BL off.

It's not necessarily about sensitive info but more about keeping your data safe should your PC get stolen.

Sure, understand.

Encrypting a hard drive is bad news. Was a tech in the early 80's when encryption for general public was developed. Received many drives that had been encrypted and keys were lost. But the more devastating problem that cropped up continually was the encryption process was corrupted at encryption. So, even with the key, no joy. Exactly why I never encrypt a drive.

rb0321 wrote:

It's interesting that the Surface Pro 6 with Win 10 Home has BitLocker capability at all.

Yes. BitLocker is supposed to be on Pro and Enterprise editions only.

I was wondering about how to back up encrypted drives, and found this:

https://askleo.com/how-should-i-back-up-an-encrypted-hard-disk/

CAcreeks wrote:

rb0321 wrote:

It's interesting that the Surface Pro 6 with Win 10 Home has BitLocker capability at all.

Yes. BitLocker is supposed to be on Pro and Enterprise editions only.

That was my understanding too (and is still the case officially) but apparently MS makes it 'partly enabled' on at least some of their home grown units.

Austinian wrote:

Looks like it's time for me to stop being lazy and Do The Research.

Before you go deep diving into whether we can access the key through TPM, I'll repeat the point of my post...

sygnus21 wrote:

Bottom line, no matter the encryption method you use, double check you have a decryption key and you know where it is else, you’ll be required to wipe the drive (and data) in order to use it again. Assumptions gets you headaches. Lesson learned.

sygnus21 wrote:

Austinian wrote:

Looks like it's time for me to stop being lazy and Do The Research.

Before you go deep diving into whether we can access the key through TPM, I'll remind you of my point of the post...

sygnus21 wrote:

Bottom line, no matter the encryption method you use, double check you have a decryption key and you know where it is else, you’ll be required to wipe the drive (and data) in order to use it again. Assumptions gets you headaches. Lesson learned.

My condolences.

Macrium Reflect v7 has support for unlocking BitLocker encrypted drives, however perhaps you would have had to set up the BitLocker password beforehand. Goto page 140:

http://updates.macrium.com/reflect/v7/user_guide/macrium_reflect_v7_user_guide.pdf?src=sidebar

Many backup programs, including ones I use, decrypt data before sending to backup media.

Austinian wrote:

..., but I plan to re-encrypt it before the next road trip. Key recovery looks easy, from this page I just found.

https://www.tenforums.com/tutorials/39732-backup-bitlocker-recovery-key-windows-10-a.html

but I never declare victory till the entire task is complete.

Yeah, I'm familiar with the contents of that tutorial and believed I did backup the key. So there's two possibilities... I did backup the key to my MS Account and something went wrong, or I didn't and thus no key.

Anyway the task is easy but the encryption part can take awhile, but you can still use the PC. I also didn't experience any slowdowns during or after encryption.