What is the difference between a BitLocker startup and recovery key?
I would like to encrypt a system partition using BitLocker using a password (manage-bde -protectors -add c: -pw
), but (safely) store a key elsewhere if I ever forget the password.
Should I add a recovery key (-rk
) or a startup key (-sk
)?
It seems that I would be able to use both for accessing data in case of emergency.
Is there anything that I could do with a recovery key that I could not do with a startup key and vice versa?
I also wondered this and experimented; this is what I know so far:
Both commands create an external *.BEK keyfile.
After you have created a
-StartupKey
and-RecoveryKey
they become inseparable in the protector-overview. (manage-bde C: -protectors -get
) This lists all keys and labels the keys in question 'External key'. Only if you remember the {id}, you can tell the difference.
I cannot find any sources that can validate claims/explanations about this topic, however, part of an answer might help/trigger one:
I suspect it is a legacy issue. A command was introduced into an earlier version of Bitlocker and later one it was expanded. Nowadays it might make more sense to call it (-)ExternalKey
which by the way, you can actually use to define a -type
if you use the -delete
command to revoke all Externalkeyfile-access from a drive.
In contrast, if we move a fixed(*) drive to another system (or Bitlocker detects system-compromising-integrity changes), it can apparently demand for a recovery password. If we expand the language, a recovery key also is able to unlock the drive:
- I can confirm that [Load key from USB-station]-button works with both key-type. (Multiboot, unlocked system drive of other OS.) However, Bitlocker was not in 'Recovery mode' that might be triggered by certain changes.
- I can confirm that you can boot a system from a -RecoveryKey. (Might be obvious, but just to be complete.)
So the remaining question: if the Bitlocker protection mechanism is triggered, will the Startupkey still be able to unlock a drive?
At this point I think it would be bad design if you could not, as you cannot differentiate between the key-id's nor the *.bek files. (*.sbek, *.rbek do not exist.) However, I have not been able to validate my assumptions. Nonetheless, I think the dots provide insight.
According to the documentation, one difference is that:
- If the PC is configured to normally use a TPM to perform a measured boot, it will do so when the startup key is used, but not when a recovery key is used. So, the recovery key should only be used as a last resort.
I will update this answer with additional differences if I discover any.