It saves it as a hidden system file on a USB disk.Ĭan a Bitlocker-locked drive be brute-forced within hours by guessing the recovery key by an actor with a supercomputer? With a couple of GPUs? (assuming Microsoft put as much effort as possible into that pseudo-random recovery key and didn't insert any backdoors by reducing the already-miserable amount of randomness there) I did switch to the 256-bit recovery key, which somebody on some forum says ought to be FIPS compliant. BitLocker just fails with an error saying there is no option to create a recovery key. I was actually not able to disable the recovery key entirely. The vulnerability would work just the same. I was happy about my discovery for a minute, but I realized if the answer to question 1 is yes, it might just create the recovery key in the background, but never display, save, or log it.
In Windows, search Run → gpedit.msc → Computer Configuration → Administrative Template → Windows Components → BitLocker Drive Encryption → Fixed/Removable Data Drives → Choose how fixed/removable drives can be recovered. (I hope) I found a way to disable the recovery keys! Is there an option to disable BitLocker recovery keys?Īnswer to question 2. So it adds up to two questions:Ĭan a BitLocker-locked drive be brute-forced within hours by guessing the recovery key by an actor with a supercomputer? With a couple of GPUs? (assuming Microsoft put as much effort as possible into that pseudo-random recovery key and didn't insert any back doors by reducing the already-miserable amount of randomness there)
The time to crack anything below 128 random bits falls off the cliff so under the worst case scenario it could be cracked very quickly using regular GPUs. So it must be a pseudorandom 163-bit key. What else could Windows use for randomness? Thermistors on the chipset? Too slow, the key was printed out within a few seconds. When generating the key I didn't move neither my mouse, nor pressed keys, nor was my computer connected to the Internet. A 163-bit key seems mighty small and is certainly not up to an industrial standard of 256 bit.īut then something else struck me. The recovery key on the other hand is 48 digits, at most log 2(10^49) = 163 bit, if my math is correct. If half of it is random, the key is way above 256 bits and suits the industrial standards. My estimate is that it is 7 bit per character = 896 bits. Now my passwords are 128-character alphanumerics with special characters that I generate using algorithms with some random input (e.g., my mouse movements). It says it is just another encryption key, like the password.
I searched for how they worked and found the post How does Microsoft's BitLocker Recovery Code work?. While laboring with safe storage of these "recovery keys", I suddenly realized how small they looked and now I started suspecting a more serious problem.
No other encryption software I used did that so it annoyed me and made me biased perhaps. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.While doing some encryption work on drives I found that BitLocker keeps making these "recovery keys". Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface.
Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.Īfter you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. The TPM has the built-in ability to detect and react to these types of attacks. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack.