CALL US: 01292 811 810

Don’t Lock Yourself

  1. Home / Blog / Don’t Lock Yourself

    Don’t Lock Yourself

    For almost a decade Windows has quietly enabled BitLocker (or "Device Encryption") automatically on new devices.

    Probably without the owner's knowledge.

    BitLocker is like a protective case around your data, with a padlock guarding the contents. The padlock is automatically 'closed' by signing into a Microsoft account. A 48‑digit recovery 'key' for the padlock should be uploaded to that Microsoft account when the process finishes.

    The daily opening and closing of the secure case is handled seamlessly in the background by the device.

    Unless it detects a change that indicates tampering with the system.

    Hardware swaps, motherboard replacements, firmware changes, or certain operating system updates can all trigger BitLocker to demand the recovery key. An old Microsoft Premier Field Engineering internal document had over 200 known potential triggers. Many related to the secure boot and trusted platform module (TPM) operations. With the rollout of updated Secure Boot certificates on the horizon, it would be prudent to have those recovery keys to hand, just in case.

     

    What Happens When The Recovery Key Is Triggered?
    There's not much to say, or do. The device won't start without providing the unique 48-digit recovery key. But crucially important is that the data on the secured disk is inaccessible without that key. If you have the key, it's a minor inconvenience. If you don't, it's time to restore from backup. You do have backups?

    For larger organisations, this isn't too much of an issue - the management of BitLocker and the storage of recovery keys is usually automated. But for smaller businesses that often pass devices between staff, there's usually no documentation of either the recovery key or the history of users. And it's the first person to log in with a Microsoft account that is issued the recovery key. Subsequent Microsoft logins do not get a backup copy.

    How Likely Is This?
    The potential arming of a BitLocker recovery key has been around for a long time and the odds are reasonably low, unless you are replacing hardware or transplanting a disk. Windows updates have been known to accidentally trigger it. And who can forget the CrowdStrike incident. But if you do need the 48 digit key and it's not available, that data is gone. So it's over to restoring from backups. You do have backups?

    If you need more information, or assistance auditing devices, get in touch.