I would like to encrypt a system partition using BitLocker using a password (manage-bde -protectors -add c: -pw), but (safely) store a key elsewhere if I ever forget the password. Should I add a recovery key (-rk) or a startup key (-sk)?
It seems that I would be able to use both for accessing data in case of emergency. Is there anything that I could do with a recovery key that I could not do with a startup key and vice versa?
Best Answer
I also wondered this and experimented; this is what I know so far:
Both commands create an external *.BEK keyfile.
After you have created a
-StartupKeyand-RecoveryKeythey become inseparable in the protector-overview. (manage-bde C: -protectors -get) This lists all keys and labels the keys in question 'External key'. Only if you remember the {id}, you can tell the difference.I cannot find any sources that can validate claims/explanations about this topic, however, part of an answer might help/trigger one:
I suspect it is a legacy issue. A command was introduced into an earlier version of Bitlocker and later one it was expanded. Nowadays it might make more sense to call it
(-)ExternalKeywhich by the way, you can actually use to define a-typeif you use the-deletecommand to revoke all Externalkeyfile-access from a drive.In contrast, if we move a fixed(*) drive to another system (or Bitlocker detects system-compromising-integrity changes), it can apparently demand for a recovery password. If we expand the language, a recovery key also is able to unlock the drive:
So the remaining question: if the Bitlocker protection mechanism is triggered, will the Startupkey still be able to unlock a drive?
At this point I think it would be bad design if you could not, as you cannot differentiate between the key-id's nor the *.bek files. (*.sbek, *.rbek do not exist.) However, I have not been able to validate my assumptions. Nonetheless, I think the dots provide insight.