How to Change the Windows BitLocker Recovery Password for an Encrypted Drive

There have been several articles published recently about the new automated “Device Encryption” feature (based on BitLocker) in Windows 10 Home edition and the fact that by default, Windows 10 will save the recovery password for the drive to the user’s Microsoft account in the cloud (if they are using one).  Most of these articles resort to fear mongering tactics, exaggerations, and flat out misinformation in order to make a mostly good new feature seem like an evil conspiracy by Microsoft to steal your data (more on that later).

The articles then go on to provide steps to change the recovery key so that Microsoft wont have a copy.  That is all fine and good (the steps, not the fear mongering) except that the steps those articles have provided to date are unnecessarily slow because they involve fully decrypting the drive and then re-encrypting it.  There is a simple way to quickly delete the existing recovery password and create a new one from the command line, which is detailed below.

Steps to Change a Drives BitLocker Recovery Key

Step 1: Open the Windows command prompt (or the powershell prompt if you prefer) in administrator mode.

Start menu >> type “cmd” >> right click on the “Command Prompt” search result item and select “run as administrator”.  Select “Yes” if UAC prompts for permission to run the command prompt as an administrator.

Step 2: View the current recovery password for the specified drive (the C:\ drive in this example) by entering the following command at the command prompt:

manage-bde C: -protectors -get -type RecoveryPassword

Example output:

BitLocker Drive Encryption: Configuration Tool version 10.0.10011 Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [System] Key Protectors of Type Numerical Password

Numerical Password: ID: {29687185-C79B-48B1-8F4D-2862D92592C9} Password: 025740-720005-791228-067595-085712-212256-717233-701481

Step 3: Copy the ID of the recovery password to be replaced and then delete it by entering the following command (enter the ID you copied in place of the example ID) at the command prompt:

manage-bde C: -protectors -delete -id {29687185-C79B-48B1-8F4D-2862D92592C9}

Example output:

BitLocker Drive Encryption: Configuration Tool version 10.0.10011 Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [System] Key Protector with ID {29687185-C79B-48B1-8F4D-2862D92592C9}

Numerical Password: ID: {29687185-C79B-48B1-8F4D-2862D92592C9} Password: 025740-720005-791228-067595-085712-212256-717233-701481

Key protector with ID “{29687185-C79B-48B1-8F4D-2862D92592C9}” deleted.

Step 4:

Create a new recovery password for the specified drive by entering the following command at the command prompt:

manage-bde C: -protectors -add -rp

Example output:

BitLocker Drive Encryption: Configuration Tool version 10.0.10011 Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key Protectors Added:

Numerical Password: ID: {3BA11B16-CF52-4378-A098-9BE85C116424} Password: 475772-004268-264264-566533-510257-022858-259116-241724

ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from your computer:

475772-004268-264284-566533-510257-022858-259116-241724

To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encrypted volume.

Step 5: Make a copy of the new recovery key.

You can do this by manually copying the output from the command window (both the new ID and password), or you can right click on the drive in Windows Explorer and select “Back up your recovery key” option.  Either way, you will need this in the event of OS corruption or device failure. Save it somewhere secure so it doesn’t get stolen with your device.  Don’t save it on the same drive that is encrypted (that should be obvious, but just in case).  You should also have backups of your important data in the event of device theft or a disk failure.

Some Logic to Counter the Hysteria

A few things worth noting for those that may have already encountered one of the more sensational articles I mentioned above:


  • The new device encryption feature in Windows 10 Home edition is intended to be a baseline level of protection from data loss due to device theft.  Previously, Home editions of Windows did not have any drive encryption functionality built in at all.
  • When this feature is enabled automatically (new install on modern hardware), it saves the recovery password to the user’s Microsoft account in the cloud (if the user is logged into Windows with one) because the average user would not fully understand the importance of keeping a copy of the recovery password.  This would leave them at high risk for data loss at some point down the road.
  • When the feature is enabled manually, the user is prompted to choose a backup location for a copy of the recovery password.  They can choose from both offline and online locations or some combination thereof.
  • The recovery password is only useful to an attacker that has physical access to the device.  It cannot be used by “hackers” to attack someone remotely (disk encryption in general is not designed to protect against that type of threat).  Therefore, it’s useless to hackers, Microsoft, the government, or any other entity unless they come and physically take your device.  In most countries that requires a search warrant.  If you are concerned about this, then you should probably learn more about encryption and stop using the automated encryption and default options that comes with your devices.
  • Microsoft doesn’t want or need your recovery password.  When you have files stored on a computer, the operating system already has access to those files.  The user browses their files and folders using the operating system and applications that run inside the OS.  If Microsoft wanted to steal your data, they could have been doing it for more than 30 years now.  Considering that Windows is used by countless corporations, governments, and individuals it would be pretty well known by now if MS was systematically stealing peoples files.  In any event, disk encryption wouldn’t prevent that anyway.
  • Apple, Google, and other vendors that have similar functionality do the same thing by default. There is an option is some cases to not save the recovery password, but most users don’t uncheck it and the ones that do better know what they are doing.
  • This would not affect corporate users which use Active Directory domain logins to their company servers, not consumer focused MS accounts.
  • This does not affect those users that use local accounts instead of MS accounts.  However, local accounts render many of the new features of Windows 10 unusable (synched settings between devices, bookmark synching, OneDrive cloud storage, and anything else that requires “cloud” functionality.



Thanks for reading and I hope the information here was helpful.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s