1
C:\Windows\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [OS]
[OS Volume]

Size:                 77.62 GB
BitLocker Version:    2.0
Conversion Status:    Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method:    XTS-AES 128
Protection Status:    Protection On
Lock Status:          Unlocked
Identification Field: Unknown
Key Protectors:
    TPM
    Numerical Password


C:\Windows\system32>

Can I replace the numerical password key protector with an alphanumeric password protector since they're more secure (more possible permutations with all characters instead of just numbers 0-9)?

slantalpha
  • 305
  • 1
  • 5
  • 17

2 Answers2

0

There's no need to replace the password recovery key with an alphanumeric key. Neither is there any setting for that, because it's not in a form that could be replaced with an alphanumeric key.

  • If the password recovery key was a 48 digit number, it would have had log₂(10⁴⁸) ≈ 159 bits of entropy. But it's actually 8 groups of 16 bits of entropy (8 values between 0 and 65,535) i.e. 128 bits of entropy. It's comparable to 21 character alphanumeric random password combining small and capital letters with numbers having log₂((26+26+10)²¹) ≈ 125 bits of entropy; 22 characters has 131 bits of entropy.

  • Encryption Method: XTS-AES 128. Anything over 128 bits wouldn't add anything anyway.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
0

The numerical password is a 'Recovery' password. A Recovery Key is in theory more secure. For example, I believe federal government public sector does not allow recovery password protectors, only recovery key protectors.

However, with your current configuration, you should be aware that if your computer were lost or stolen, the recovery protector is not needed to unlock the hard drive. A simple, inexpensive hardware device may be used to attach to the LPC bus, and intercept the TPM key protector when the computer starts. That can then be used with open source code to unlock the volume.

So, adding a password protector would be far more secure than your current configuration.

More information:

https://pulsesecurity.co.nz/articles/TPM-sniffing
https://github.com/libyal/libbde

https://blogs.technet.microsoft.com/askcore/2014/12/29/how-to-make-your-existing-bitlocker-encrypted-environment-fips-complaint/

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • @[Greg Askew] thanks. If I put a startup password on the BIOS, will it mitigate the hardware hack? By "Recovery Key", do you mean a hardware device like a USB drive that I need to plug in to unlock the BitLocker drive? – slantalpha Apr 08 '19 at 02:11
  • A BIOS password would work. A Recovery Key is a blob that you save to a USB drive when enabling BitLocker (-RecoveryKey F:\) – Greg Askew Apr 08 '19 at 13:44