mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 22:07:22 +00:00
split key mgmt FAQ
This commit is contained in:
Justin Hall
parent
4317cf9976
commit
24fae1c96e
@ -0,0 +1,86 @@
|
||||
---
|
||||
title: BitLocker frequently asked questions (FAQ) (Windows 10)
|
||||
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
|
||||
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
localizationpriority: high
|
||||
author: brianlic-msft
|
||||
ms.date: 04/03/2018
|
||||
---
|
||||
|
||||
# BitLocker Deployment and Administration FAQ
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
## Can BitLocker deployment be automated in an enterprise environment?
|
||||
|
||||
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps).
|
||||
|
||||
## Can BitLocker encrypt more than just the operating system drive?
|
||||
|
||||
Yes.
|
||||
|
||||
## Is there a noticeable performance impact when BitLocker is enabled on a computer?
|
||||
|
||||
Generally it imposes a single-digit percentage performance overhead.
|
||||
|
||||
## How long will initial encryption take when BitLocker is turned on?
|
||||
|
||||
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
|
||||
|
||||
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
|
||||
|
||||
## What happens if the computer is turned off during encryption or decryption?
|
||||
|
||||
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
|
||||
|
||||
## Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
|
||||
|
||||
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
|
||||
|
||||
## How can I prevent users on a network from storing data on an unencrypted drive?
|
||||
|
||||
You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
|
||||
|
||||
## What system changes would cause the integrity check on my operating system drive to fail?
|
||||
|
||||
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
|
||||
|
||||
- Moving the BitLocker-protected drive into a new computer.
|
||||
- Installing a new motherboard with a new TPM.
|
||||
- Turning off, disabling, or clearing the TPM.
|
||||
- Changing any boot configuration settings.
|
||||
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
|
||||
|
||||
## What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
|
||||
|
||||
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
|
||||
For example:
|
||||
|
||||
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
|
||||
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
|
||||
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
|
||||
|
||||
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
|
||||
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
|
||||
|
||||
## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
|
||||
|
||||
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
|
||||
|
||||
## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
|
||||
|
||||
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
|
||||
|
||||
## Why is "Turn BitLocker on" not available when I right-click a drive?
|
||||
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
|
||||
|
||||
## What type of disk configurations are supported by BitLocker?
|
||||
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
|
||||
|
||||
|
||||
@ -21,8 +21,8 @@ This topic for the IT professional answers frequently asked questions concerning
|
||||
BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
|
||||
|
||||
- [Overview and requirements](bitlocker-overview-and-requirements-faq.md)
|
||||
- [Upgrading](#bkmk-upgrading)
|
||||
- [Deployment and administration](#bkmk-deploy)
|
||||
- [Upgrading](bitlocker-upgrading-faq.md)
|
||||
- [Deployment and administration](bitlocker-deployment-and-administration-faq.md)
|
||||
- [Key management](#bkmk-keymanagement)
|
||||
- [BitLocker To Go](#bkmk-btgsect)
|
||||
- [Active Directory Domain Services (AD DS)](#bkmk-adds)
|
||||
@ -32,193 +32,6 @@ BitLocker is a data protection feature that encrypts the hard drives on your com
|
||||
|
||||
|
||||
|
||||
## <a href="" id="bkmk-upgrading"></a>Upgrading
|
||||
|
||||
### <a href="" id="bkmk-upgradev27"></a>Can I upgrade to Windows 10 with BitLocker enabled?
|
||||
|
||||
Yes.
|
||||
|
||||
### <a href="" id="bkmk-disabledecrypt"></a>What is the difference between suspending and decrypting BitLocker?
|
||||
|
||||
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
|
||||
|
||||
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
|
||||
|
||||
### <a href="" id="bkmk-decryptfirst"></a>Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
|
||||
|
||||
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
|
||||
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
|
||||
|
||||
- Computer manufacturer firmware updates
|
||||
- TPM firmware updates
|
||||
- Non-Microsoft application updates that modify boot components
|
||||
|
||||
> **Note:** If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
|
||||
|
||||
## <a href="" id="bkmk-deploy"></a>Deployment and administration
|
||||
|
||||
### <a href="" id="bkmk-automate"></a>Can BitLocker deployment be automated in an enterprise environment?
|
||||
|
||||
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx).
|
||||
|
||||
### <a href="" id="bkmk-os"></a>Can BitLocker encrypt more than just the operating system drive?
|
||||
|
||||
Yes.
|
||||
|
||||
### <a href="" id="bkmk-performance"></a>Is there a noticeable performance impact when BitLocker is enabled on a computer?
|
||||
|
||||
Generally it imposes a single-digit percentage performance overhead.
|
||||
|
||||
### <a href="" id="bkmk-longencrypt"></a>How long will initial encryption take when BitLocker is turned on?
|
||||
|
||||
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
|
||||
|
||||
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
|
||||
|
||||
### <a href="" id="bkmk-turnoff"></a>What happens if the computer is turned off during encryption or decryption?
|
||||
|
||||
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
|
||||
|
||||
### <a href="" id="bkmk-entiredisk"></a>Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
|
||||
|
||||
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
|
||||
|
||||
### <a href="" id="bkmk-dataunencryptpart"></a>How can I prevent users on a network from storing data on an unencrypted drive?
|
||||
|
||||
You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
|
||||
|
||||
### <a href="" id="bkmk-integrityfail"></a>What system changes would cause the integrity check on my operating system drive to fail?
|
||||
|
||||
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
|
||||
|
||||
- Moving the BitLocker-protected drive into a new computer.
|
||||
- Installing a new motherboard with a new TPM.
|
||||
- Turning off, disabling, or clearing the TPM.
|
||||
- Changing any boot configuration settings.
|
||||
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
|
||||
|
||||
### <a href="" id="bkmk-examplesosrec"></a>What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
|
||||
|
||||
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
|
||||
For example:
|
||||
|
||||
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
|
||||
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
|
||||
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
|
||||
|
||||
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
|
||||
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
|
||||
|
||||
### <a href="" id="bkmk-driveswap"></a>Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
|
||||
|
||||
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
|
||||
|
||||
### <a href="" id="bkmk-altpc"></a>Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
|
||||
|
||||
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
|
||||
|
||||
### <a href="" id="bkmk-noturnon"></a>Why is "Turn BitLocker on" not available when I right-click a drive?
|
||||
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
|
||||
|
||||
### <a href="" id="bkmk-r2disks"></a>What type of disk configurations are supported by BitLocker?
|
||||
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
|
||||
|
||||
## <a href="" id="bkmk-keymanagement"></a>Key management
|
||||
|
||||
### <a href="" id="bkmk-key"></a>What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
|
||||
|
||||
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
|
||||
|
||||
### <a href="" id="bkmk-recoverypass"></a>How can the recovery password and recovery key be stored?
|
||||
|
||||
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
|
||||
|
||||
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
|
||||
|
||||
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
|
||||
|
||||
### <a href="" id="bkmk-enableauthwodecrypt"></a>Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
|
||||
|
||||
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use:
|
||||
|
||||
`manage-bde –protectors –delete %systemdrive% -type tpm`
|
||||
|
||||
`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
|
||||
|
||||
|
||||
### <a href="" id="bkmk-add-auth"></a> When should an additional method of authentication be considered?
|
||||
|
||||
New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
|
||||
For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
|
||||
|
||||
### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
|
||||
|
||||
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
|
||||
|
||||
>**Important:** Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
|
||||
|
||||
### <a href="" id="bkmk-usbdrive"></a>Can the USB flash drive that is used as the startup key also be used to store the recovery key?
|
||||
|
||||
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
|
||||
|
||||
### <a href="" id="bkmk-startupkey"></a>Can I save the startup key on multiple USB flash drives?
|
||||
|
||||
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
|
||||
|
||||
### <a href="" id="bkmk-multikeyoneusb"></a>Can I save multiple (different) startup keys on the same USB flash drive?
|
||||
|
||||
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
|
||||
|
||||
### <a href="" id="bkmk-multikey"></a>Can I generate multiple (different) startup keys for the same computer?
|
||||
|
||||
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
|
||||
|
||||
### <a href="" id="bkmk-multipin"></a>Can I generate multiple PIN combinations?
|
||||
|
||||
You cannot generate multiple PIN combinations.
|
||||
|
||||
### <a href="" id="bkmk-encryptkeys"></a>What encryption keys are used in BitLocker? How do they work together?
|
||||
|
||||
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
|
||||
|
||||
### <a href="" id="bkmk-keystorage"></a>Where are the encryption keys stored?
|
||||
|
||||
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
|
||||
|
||||
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
|
||||
|
||||
### <a href="" id="bkmk-funckey"></a>Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
|
||||
|
||||
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
|
||||
|
||||
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
|
||||
|
||||
### <a href="" id="bkmk-youbrute"></a>How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
|
||||
|
||||
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
|
||||
|
||||
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
|
||||
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
|
||||
|
||||
### <a href="" id="bkmk-tpmprov"></a>How can I determine the manufacturer of my TPM?
|
||||
|
||||
You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading.
|
||||
|
||||
### <a href="" id="bkmk-tpmdam"></a>How can I evaluate a TPM's dictionary attack mitigation mechanism?
|
||||
|
||||
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
|
||||
|
||||
- How many failed authorization attempts can occur before lockout?
|
||||
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
|
||||
- What actions can cause the failure count and lockout duration to be decreased or reset?
|
||||
|
||||
### <a href="" id="bkmk-pinlength"></a>Can PIN length and complexity be managed with Group Policy?
|
||||
|
||||
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
|
||||
|
||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
|
||||
## <a href="" id="bkmk-btgsect"></a>BitLocker To Go
|
||||
|
||||
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
|
||||
|
||||
@ -0,0 +1,112 @@
|
||||
---
|
||||
title: BitLocker Key Management FAQ (Windows 10)
|
||||
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
|
||||
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
localizationpriority: high
|
||||
author: brianlic-msft
|
||||
ms.date: 04/03/2018
|
||||
---
|
||||
|
||||
# BitLocker Key Management FAQ
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
|
||||
|
||||
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
|
||||
|
||||
## How can the recovery password and recovery key be stored?
|
||||
|
||||
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
|
||||
|
||||
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
|
||||
|
||||
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
|
||||
|
||||
## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
|
||||
|
||||
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use:
|
||||
|
||||
<code>manage-bde –protectors –delete %systemdrive% -type tpm</code>
|
||||
|
||||
<code>manage-bde –protectors –add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
|
||||
|
||||
|
||||
## When should an additional method of authentication be considered?
|
||||
|
||||
New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
|
||||
For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
|
||||
|
||||
## If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
|
||||
|
||||
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
|
||||
|
||||
## Can the USB flash drive that is used as the startup key also be used to store the recovery key?
|
||||
|
||||
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
|
||||
|
||||
## Can I save the startup key on multiple USB flash drives?
|
||||
|
||||
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
|
||||
|
||||
## Can I save multiple (different) startup keys on the same USB flash drive?
|
||||
|
||||
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
|
||||
|
||||
## Can I generate multiple (different) startup keys for the same computer?
|
||||
|
||||
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
|
||||
|
||||
## Can I generate multiple PIN combinations?
|
||||
|
||||
You cannot generate multiple PIN combinations.
|
||||
|
||||
## What encryption keys are used in BitLocker? How do they work together?
|
||||
|
||||
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
|
||||
|
||||
## Where are the encryption keys stored?
|
||||
|
||||
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
|
||||
|
||||
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
|
||||
|
||||
## Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
|
||||
|
||||
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
|
||||
|
||||
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
|
||||
|
||||
## How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
|
||||
|
||||
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
|
||||
|
||||
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
|
||||
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
|
||||
|
||||
## How can I determine the manufacturer of my TPM?
|
||||
|
||||
You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
|
||||
|
||||
## How can I evaluate a TPM's dictionary attack mitigation mechanism?
|
||||
|
||||
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
|
||||
|
||||
- How many failed authorization attempts can occur before lockout?
|
||||
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
|
||||
- What actions can cause the failure count and lockout duration to be decreased or reset?
|
||||
|
||||
## Can PIN length and complexity be managed with Group Policy?
|
||||
|
||||
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
|
||||
|
||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user