14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing Windows Devices
  3. Security

Category filter

Protect Verification Key for BitLocker Encryption

Jump To

BitLocker drive encryption is a data protection feature available on Windows devices. The data stored on a BitLocker-encrypted device becomes inaccessible even when the device is decommissioned or recycled. Therefore, enabling BitLocker on a device ensures that the data is safe from unauthorized access. When used in conjunction with TPM versions 1.2 and above, BitLocker encryption provides maximum protection.

When a drive is encrypted using BitLocker, a BitLocker recovery key (encryption key) that can be used to access encrypted data is also generated. The recovery key is stored as plaintext on the device if no key protector is assigned. A key protector is an authentication method that prevents storing the volume encryption key as plaintext on the device. It can be a PIN or a USB drive containing the key. BitLocker uses this key protector to retrieve the encryption key that reads data from the encrypted drive. This document helps the admin on how to protect the recovery key of a BitLocker-encrypted device.

BitLocker Encryption Status

Admins can monitor the encryption status of a remote Windows device through the Device Summary page of the target device on the portal. Note that the BitLocker encryption status can be verified even if the BitLocker is enabled manually. The BitLocker encryption status of a device takes either of the following forms:

BitLocker status – Not encrypted

  1. N/A – BitLocker encryption is not supported on this device.
  2. Encrypted – The encryption of the volume is completed.
  3. Encryption in progress – BitLocker encryption has started and is ongoing.
  4. Encryption paused – The encryption of the specified volume is paused.
  5. Not encrypted – The device is not BitLocker encrypted at the moment.
  6. Decryption in progress – The decryption of the specified volume is ongoing.
  7. Decryption paused – The decryption of the specified volume is paused.
  8. Status unknown – The volume protection status cannot be determined. This can be caused by the volume being in a locked state.
  9. Encrypted but unprotected – Encryption is complete, but the volume encryption key used to unlock the drive is unprotected and openly available on the hard disk.

Encryption is completed but the verification key is unprotected

The BitLocker encryption status Encrypted but unprotected denotes that the volume encryption is complete, but the volume encryption key is stored as plain text on the device without any protection. As a result, the encryption key is vulnerable to unauthorized access and can be used to read encrypted data on the drive.

BitLocker status - Encrypted but unprotected

Follow these steps to protect and store the encryption key,

  1. Setup key protectors using the BitLocker policy from the Hexnode console.

    Admins can configure key protectors through the BitLocker policy settings by navigating to Policies > New Policy > New Blank Policy > Windows > BitLocker. Within the BitLocker settings, enable the Configure BitLocker OS drive policy under OS Drive Settings. Additionally, ensure that the checkbox corresponding to Configure additional startup authentication settings is selected to activate the relevant authentication options. You can use the following authentication methods to protect the encryption key.

    • Allow BitLocker to be activated on devices without a compatible TPM
    • Authenticate with TPM Startup
    • Authenticate with Startup Key
    • Authenticate with Startup PIN

    2. BitLocker key protectors interface displaying options for managing and configuring protectors.

  2. Backup the recovery key from the device.

    You can back up the recovery key on the Windows device by following these steps,

    1. Type Manage BitLocker in the search box in the Start menu.
    2. Next, scroll down to the encrypted drive section and click on Turn on BitLocker.

      3. Enabling BitLocker manually at the device end.

    3. In this step, the user will be prompted to set up a key protector. The user can choose from any of the key protectors that are enabled in the BitLocker policy. The selected key protector containing the recovery key will be used in the future to decrypt the drive.
    4. Back up the recovery key using any of the methods provided below,
      1. Save to your Microsoft account – This method requires the user to be signed into a Microsoft account to store the recovery key to the specified account.
      2. Save to a file – Choosing this option allows you to save the recovery to a drive that is not encrypted or a removable device.
      3. Print the recovery key – This option allows the user to print the recovery key on paper.
    5. Complete the setup assistant to back up the recovery key. The BitLocker encryption will be completed after this step, and the encryption status in the portal will be changed to Encrypted.
Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Managing Windows Devices