If you get a new PC or install Windows 11, don't forget this simple step or you could lose all data on your PC / laptop due to BitLocker (see below for what it is). I have a feeling what happened to me will happen to a lot of other people.
Intro
I had a complete system loss on my Windows machine because I couldn't find my Bitlocker recovery key.
Last week, a change was made to the firmware on my main Windows laptop that had BitLocker implemented on it. Windows detected this, and during a reboot prompted me for the recovery key for the first time in years.
I went looking for that 48-digit key. Supposedly it's automatically backed up when you install Windows. I went to the location mentioned on the screen to get it from Microsoft and after checking multiple Microsoft accounts, none of them had the key for this machine. If presented a chance, I normally print out and put keys like this and put them in a safe place. When Bitlocker was implemented it never prompted me to backup or print them out, in fact, I was never aware of this.
Microsoft keeps a copy of this key for you in your on-line account which I'm not crazy about since they will give it out to authorities when prompted. But here's another problem, most users can't remember the account info used when slitting up their PC. If someone else set up the PC and used a diffeerent account, you are REALLY SCREWED. In my case, I had multiple accounts which haven't been used in years and none of them had the recovery keys. I had no idea why they were empty.
Without the recovery key, my system was encrypted and would never let me in. In essence, it launched a denial-of-service attack on myself.
The only option was to format the drive and install Windows from scratch, re-install all my applications and restore my data. I'm a bit of a backup freak and use cloud services so I was able to rebuild my system, only loosing a few files when I was done. The process is in day 4 and continues while I write this. (More on backups below)
BitLocker
Just a fyi for anyone getting a new PC with Windows 11 on it, or you know someone getting new windows computer or installing Win 11, BitLocker TURNED ON BY DEFAULT, and it can cause huge issues if you don't secure your recovery key(s). None of this is mentioned during install by the way. Don't worry though, you can back your keys up now if this applies to you.
What is BitLocker and what is the problem?
BitLocker in windows is a whole disk encryption layer used to secure your data in case your system is stolen. This is becoming critical, since everything we do is on our PCs. Criminals can get more for your data than your pc is worth. Many people store their password on their PC opening them up to massive fraud if criminals can log into your financial institutions before you can change all your passwords, a nightmare scenario). (Screen capture at right is from Windows 11 Pro)
In Win 11, BitLocker is on by default. MAKE SURE YOU or THE OWNER BACKS UP THE RECOVERY KEY. If you don't, and you are ever prompted for the key, and you don't have it, your system will have to be rebuilt from scratch and you lose everything (but you have backups right?). It could take you days to get your system back to where it was, even if you back everything up.
As part of Win11 install, MS turns on BitLocker by default and stores your recovery key(s) in your Microsoft account used (or created at install). This allows you to go get it should you ever get prompted due to a firmware change or other scenarios it thinks it should prompt to prevent theft of your data.
It is VERY LIKELY that you will be prompted sometime in the future for this key due to a bug or when your firmware is changed or updated. You'll need a key for each drive that is encrypted on your system.
One other reason you'll need your recovery key is if your PC breaks due to some sort of hardware failure, or a spill soda on your laptop event.
HERE IS WHAT YOU SHOULD DO.
- You could just turn Bitlocker off. (NOT recommended)My research on the net didn't find anyone that recommended turning off Bitlocker unless it's an old PC and it's getting slowed down because of Bitlocker. The single biggest issue with Bitlocker is that people can't get their recovery key when they need it.To Turn Bitlocker off. (images here are from Windows 11 Pro)
- Go into BitLocker by typing BitLocker config at the start menu and go to the app.
- Expand each drive, and if your drives are protected with BitLocker you'll see a menu choice to turn it off. Follow the instructions. You may need to use the key during this process so first export the key to a USB drive (you can't save it to an encrypted disk) or you can just print it out.If you have any issues, do a search on Youtube, I'm sure you'll find a step-by-step guide.
- Backup your key (RECOMMENDED)
- Go into BitLocker by typing BitLocker config at the start menu and open that app.
- Expand each drive, and if your drives are protected with BitLocker you'll see a menu choice to Back up your recovery key. (click on first image for larger or the one to the right). Images are from (Windows 11 Pro)
- Backup the key to your MS account.
You have another chance to save the key to your Microsoft account but I don't recommend this unless you use that account. In addition, Microsoft is more than happy to give your key out to law enforcement without notifying you. If your key is out there, you may want to delete it.
If you don't see your key listed at https://aka.ms/myrecoverykey do the following. - Go into bitLocker by typing BitLocker at the start the start bar and enter the app.
- For each drive, choose "Backup Your Recovery Key" and then "Save to your Microsoft Account"
- Save your recovery key to a file. (Recommended)
- Go into bitLocker by typing BitLocker at the start the start bar and enter the app.
- For each drive, choose "Backup Your Recovery Key" and then "Save to a file"
NOTE: This must be a device that isn't encrypted. Put this file in a couple of places that you can get to if your PC isn't working. Save the contents of the file (which has the key with instructions) to a secure on-line vault, USB, whatever but not on your PC.
- Print out the recovery key (Recommended).
Print the key out and put in a safe place. This gives you redundancy. To do this: - Go into bitLocker by typing BitLocker at the start the start bar and enter the app.
- For each drive, choose "Backup Your Recovery Key" and then "Print the recovery key"
- BACKUP!!! (HIGHLY RECOMMENDED)Backups are critical, as it's really your best last defense against multiple things, like fire, theft, system meltdown, etc. Only crazy people don't backup or those that only use cloud services like Dropbox, Google Docs, etc. Please read "Backup your PC to the NET, or just backup!" I still recommend something like iDrive or Crashplan for your backups. For more real-time and continuous backup, use something like Dropbox or OneDrive.Things like DropBox and Onedrive mirror a directory on your pc on a network service continuously while you are connected to the network. Your data is always on your pc, and if you are off-line, it will sync up next time you connect. In addition, these services allow access from multiple PCs, your phone, tablet computers and more. These services are super easy to use. Just create an account, install the service, and then store the data you most care about under the mirrored directory. You don't have to do anything else.One additionl feature that I like about Dropbox is"versioning". Versioning allows you to roll back changes to files that you make a mess of. If you delete a file, you can recover if you don't wait too long. In fact, Dropbox supports "rewind" allowing you to roll back changes or deletes for a directory, or your your entire repository (found this out after a disaster that I'll get into another time). Use tools that provide off-site backup. Sure, you could use a home network attached storage (NAS), or flash drives, but that could break, be stolen, or consumed in a fire. If you are a freak like me, you use a local storage server and off-site backup option like iDrive or Crashplan.
However, you need to make sure the data you care about really is in the correct directory. Many programs want to store their data somewhere else on your PC by default. You need to either tell the app to store it somewhere under your replicated directory, or create a "junction" point on your filesystem and point the data to a new directory in your mirrored area. Bottom line, you need to pay attention.
In Summary
BitLocker is installed by default on Windows 11 and it never bugs you to backup your keys. If you are prompted for the recovery key and don't have it, kiss your system goodbye and I hope it's backed up, because the only solution is a fresh Windows install, re-installation of all your applications, and a data restore (if you have it).
BitLocker isn't a bad thing, it helps to keep your data safe from thieves that get physical access to your PC or Laptop. Encrypting your data is super important in this day in age.
I'm 99% sure you'll be prompted for that key in the future. My research shows that this can be caused by a bios change, bios or firmware update, or bug in an application. Also, if your PC breaks, you'll want to remove your drives and mount them on another PC to get your data back and you'll need to have the recovery key to get into that encrypted drive.
Backup your recovery key:
- If you don't have access to your keys. you are screwed, so back them up.
(Each drive has it's own key) - If you don't have a good backup plan, you're living on the edge.
Before you comment that I should use LINUX, hold on. I would switch if I could. I am growing to hate the sluggish hulk that is Windows. It's a powerful operating system but it operates like a oil tanker in the ocean, unlike Linux. Unfortunately I have way too many windows apps that either won't work on Linux or won't run under wine, so I'm stuck for now.
No comments:
Post a Comment