(I hope) I found a way to disable the recovery keys! Is there an option to disable BitLocker recovery keys?Īnswer to question 2. So it adds up to two questions:Ĭan a BitLocker-locked drive be brute-forced within hours by guessing the recovery key by an actor with a supercomputer? With a couple of GPUs? (assuming Microsoft put as much effort as possible into that pseudo-random recovery key and didn't insert any back doors by reducing the already-miserable amount of randomness there) The time to crack anything below 128 random bits falls off the cliff so under the worst case scenario it could be cracked very quickly using regular GPUs. So it must be a pseudorandom 163-bit key. What else could Windows use for randomness? Thermistors on the chipset? Too slow, the key was printed out within a few seconds.
When generating the key I didn't move neither my mouse, nor pressed keys, nor was my computer connected to the Internet. A 163-bit key seems mighty small and is certainly not up to an industrial standard of 256 bit.īut then something else struck me. The recovery key on the other hand is 48 digits, at most log 2(10^49) = 163 bit, if my math is correct. If half of it is random, the key is way above 256 bits and suits the industrial standards. My estimate is that it is 7 bit per character = 896 bits. Now my passwords are 128-character alphanumerics with special characters that I generate using algorithms with some random input (e.g., my mouse movements). It says it is just another encryption key, like the password.
I searched for how they worked and found the post How does Microsoft's BitLocker Recovery Code work?. While laboring with safe storage of these "recovery keys", I suddenly realized how small they looked and now I started suspecting a more serious problem. No other encryption software I used did that so it annoyed me and made me biased perhaps. While doing some encryption work on drives I found that BitLocker keeps making these "recovery keys".
0 kommentar(er)
