none
Bitlocker Recovery - TPM Owner Password? What? RRS feed

  • Question

  • So I ran into a very odd situation here.

    I had encrypted a large ReFS Data Volume on my system with Bitlocker (XTS-AES). The drive always requires me to enter a password to unlock it because my System Drive (OS Drive) is not encrypted so I cannot enable automatic unlock.

    Fast forward to this week. I decided I wanted to bitlocker my OS Drive, so I reset the TPM Owner Password, and went to encrypt C:.

    HOWEVER, this action rendered my Data Drive completely inaccessible:

    * I could not use the Recovery Key
    * I could not use the Password

    Bitlocker said the drive was unlocked, and I had tried a recovery tool that could see files--but I was unable to access the drive.

    So I went ahead and decrypted my C: drive, and then restored the TPM Owner password backup I had from the last time I initialized my TPM via Set-TPMOwnerAuth.

    Low and behold, when I use my password to unlock the volume, it works.

    I'm trying to understand why the TPM is being used at all for this volume. The Protectors do not list the TPM anywhere. But sure enough, restoring the older TPM Owner info allowed me access to my drive. Using the 48-digit Recovery Password I backed up to my Microsoft Account DID NOT WORK to unlock my volume.

    Volume G: [Storage space]
    All Key Protectors
    
        Numerical Password:
          ID: {C166C6F1-3644-492A-8BD2-3D6821E06AFD}
          Password:
            XXXX-XXXX-XXXXX-XXXXX-XXXX-XXXXX-XXXXX-XXXXX
    
        Password:
          ID: {BA62FCB1-0768-4615-A5CB-0FC0077FF463}
    
        External Key:
          ID: {664249A4-17D4-4F46-B0AE-1676B4C145B8}
          External Key File Name:
            664249A4-17D4-4F46-B0AE-1676B4C145B8.BEK

    Wednesday, December 30, 2015 1:32 PM

All replies

  • Hi.

    Just picking out "Bitlocker said the drive was unlocked, and I had tried a recovery tool that could see files--but I was unable to access the drive." - the recovery tool saw the files? So it was indeed unlocked. No other way it could even list a directory. If you couldn't use explorer to get at the files, surely this was a bug, what else? So don't worry, next time have backups, because this will not be the last bug there is in bitlocker.

    I administer about 100 encrypted devices, we ran Symantec Desktop encryption (formerly PGP) before we switched to bitlocker to save licensing costs. Believe me, Symantec's product had tons of bugs. Bitlocker is by far better, but not bug free. I had maybe 10 occurrences of misbehavior of whatever kind so far, clear buggy misbehavior. I am experienced enough to tell since I use bitlocker on multiple machines since the days it came  out with vista.


    Thursday, December 31, 2015 3:18 PM