July 7, 2021

Is the Recovery Key a vulnerability to BitLocker?

[This article](https://blog.elcomsoft.com/2020/05/unlocking-bitlocker-can-you-break-that-password/) from Elcomsoft addresses the different ways to secure a system with BitLocker. They list various security models, ranging from password only, TPN only, to TPM + pin, TPM + usb key or TPN + PIN + USB key.

Most enterprise users probably use the TPN-only model. The same with many private users.

Those who want a little better security like to use TPN + pin, or even better, TPN + password (enhanced PIN).

It may seem that if you use TPN + PIN, TPN + password, TPN + USB or TPN + PIN + USB, the only possible step for an intruder will be to try to attack Recovery Key.

If you compare BitLocker with other encryption solutions such as VeraCrypt or BestCrypt, BitLocker is the only solution that requires a Recovery Key.

I’m wondering if this is a vulnerability in BitLocker.

This key consists of 48 numbers. These numbers are divided into 8 groups consisting of 6 numbers. Each of these groups consists of a digit that must be divisible by 11.

It goes without saying that an attacker will have to have a powerful system to crack a Recovery Key, if that is at all possible.

This makes me think that maybe it is “easier” for an attacker to attack a Recovery Key because the attacker knows the exact length of the key, that the key consists exclusively of numbers and that each group of 6 numbers must be divisible by 11, compared to a system without a Recovery key, where where the attacker is not familiar with the length or composition of the password? The attacker must then throw out a much larger net to crack the password.

Microsoft could have avoided this by making the key consist of, for example, a password of random 48 characters.

Is this an actual vulnerability of BitLocker, or are the number possibilities of a Recovery Key so large that it will not be cracked with a targeted attack?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.