I have a latest Microsoft surface pro and would like to install a Linux system on it. There were some installation problem with the Linux and I gave up. But when I tried to perform normal booting, the BitLocker Recovery popped up every time and required me to input the Recovery key. However, I have never made any configurations on BitLocker and set any password. I just left it by default since using the surface pro.
My question is where I can retrieve the default recovery key and if not, how can I get back my data from the encrypted drive. Thank you so much.
Best Answer
What you are facing
Microsoft Surface line of devices comes encrypted either with BitLocker or Device Encryption (which is basically a non-customizable BitLocker). This encryption does not rely on a user password at all. (It could, but it doesn't.) Instead, it relies on a recovery key stored within a tamper-proof Trusted Platform Module (TPM) chip integrated into the device.
I also assume the Secure Boot is enabled on your Surface Pro. One of the thing that TPM and Secure Boot do is preventing unauthorized boot configuration modification. This is one of the things that can effectively stop bootkits (boot rootkits) and ransomware. When they determine that the boot path may have been compromised, TPM refuses to supply the BitLocker recovery key to the bootloader. (Nobody wants a bootkit to receive his/her recovery key.) Linux aficionados are already aware of both, because living in the Linux world takes a technically dedicated geek. So, when they install Linux, which definitely requires boot configuration changes, they disable BitLocker (and sometimes Secure Boot) in advance.
Make no mistake: People love all this; their data is much safer. The only exception is the journalist community who both love it and love throwing mud at it, because that's their job.
What to do now?
Fortunately, Microsoft has a safety measure in place in case your TPM fails: The recovery key that I mentioned earlier is generated during the out-of-box experience (OOBE) sequence when your Surface Pro is first turned on, and only if you choose to log in with a Microsoft account. Device Encryption does not get enforced without it. This recovery key is then uploaded to your Microsoft account and won't be deleted without your explicit command. You can find it using this URL:
That's as far as the default configuration of Microsoft goes. But if you enabled BitLocker yourself ... oh, well, never mind; you said you didn't.
With this key, you can boot Windows from the encrypted disk. From within Windows, you can disable BitLocker/Device Encryption and go about your business of installing Linux. But be advised: Linux means living on the cutting edge. If you don't have sufficient technical knowledge, some other technical difficulty may threaten your digital life. So, I suggest having backup in place.
Things you must not do
Do not try disabling or resetting TPM via UEFI. It won't grant you access. (Think of it this way: If your laptop was ever stolen, you wouldn't want the thieves to get any sort of access by a simple BIOS tweak, now do you?) If you do this, even if you can undo the configuration mismatch that has somehow come into effect, your TPM-based unique key will be lost forever.