Is there any difference between a BitLocker recovery key file and numerical password that would negatively impact my ability to unlock the drive in a disaster scenario?
I frequently encrypt USB hard drives that are used for backups with BitLocker. I save the .BEK
file on the server being backed up and use that to unlock the drives. However, I also save offsite the Numerical Password as well as a copy of the .BEK
file.
If it's not necessary to save both of these offsite, it would be simpler not to. But before I stop doing so I need to know if there are any differences or gotchas between these two unlock methods I need to take into consideration.
Some Details
- I'm doing this on Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2 machines
- I never store the keys in a TPM
- I use "regular" BitLocker (not To-Go)
On Server 2008/R2 I enable BitLocker with:
manage-bde -on X: -rk "C:\BitLocker Keys" -rp
on Server 2012/R2 I enable BitLocker with:
manage-bde -on "\\?\Volume{GUID}\" -rk "C:\BitLocker Keys" -rp -used
The commands you posted are turning on BDE encryption for the volume you designate, saving a Recovery Key file (
-rk
) toC:\BitLocker Keys
, and generating a numerical Recovery Password (-rp
).Should the time come that you need to recover a Bitlocker-encrypted volume, you can use either the Recovery Key file or the numerical Recovery Password. You don't need both... and if you're not going to back up both, I'm a little curious as to why you're generating both. If you're only going to use one, you may as well just drop the other (
-rk
or the-rp
) from your command, and not generate a recovery option you're not going to use in the first place.The differences between the two methods don't seem to apply to your use case - it doesn't look like you're storing your recovery keys in Active Directory, or encrypting system drives, so it's really your choice as to which method you prefer.
So, in summary, either one is sufficient for recovery purposes; you don't need both.
In the BDE project I'm working on for my corporate overlords, I only generate a numerical recovery key, which gets backed up to Active Directory, and rely on a TPM module to store the encryption keys to unlock the drives for the end-user. Works fine, but actually inputting a 48 character string with the function keys on a computer is a bit more pain than I like to inflict on myself, so if I had it to do over, I might rely on Recovery Key files instead, for whatever that's worth.