Having a recovery strategy helps ensure that users do not lose their data. Recovery is important on data drives in case a user forgets a password or loses a smart card. If data drives are configured for automatic unlocking, recovery is necessary if the auto-unlock key stored on the computer is lost, such as in the event of a hard disk failure or operating system reinstallation.
When used to protect an operating system drive of a computer with Trusted Platform Module (TPM) security hardware, BitLocker Drive Encryption will not allow the operating system to start if the TPM detects that core startup components have been tampered with. However, it is still important that authorized users be able to decrypt the data. To support this, BitLocker provides different recovery methods that can be used to regain access to BitLocker-protected operating system drives.
Besides a malicious attack, there are other scenarios that could require the recovery of a BitLocker-protected operating system drive. These might include:
-
Moving the BitLocker-protected drive into a new computer.
-
Upgrading the motherboard to a new one with a new TPM.
-
Updating optional read-only memory (option ROM).
-
Turning off, disabling, or clearing the TPM.
-
Upgrading critical early startup components, such as a BIOS, that cause the TPM to fail validation.
-
Forgetting the personal identification number (PIN) when PIN authentication has been enabled.
-
Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
By creating a plan for keeping track of the recovery methods available for each computer, you have the ability to recover data if you need to. By administratively controlling the use of recovery methods, you help prevent unauthorized people from gaining access to protected data.
Using Group Policy, an administrator can choose what recovery methods to require, disallow, or make optional for users who use the BitLocker setup wizard to enable BitLocker. For instance, administrators can require that the recovery password for the operating system drive be stored in Active Directory Domain Services (AD DS). Using Group Policy, the administrator can also determine whether the recovery password can also be saved to a file on disk, printed, viewed as text, or whether the recovery key can be written to a USB flash drive. BitLocker can easily read the information from a USB flash drive during recovery, or the recovery password can be typed by a user, both of which enable users to recover access to the protected drive without administrator assistance.
Additional references
