Option to add TPM and Recovery Password at once
-
adiadasman
- Posts: 2
- Joined: Mon Dec 12, 2022 5:10 pm
- 2
Option to add TPM and Recovery Password at once
Adding TPM and Recovery Password protectors is by far our most common use case, and I would imagine it would be for a lot of others as well. Would it be possible to add an option to add both at once? If this is already possible and I am missing how to do it, please let me know.
Re: Option to add TPM and Recovery Password at once
BitLocker does not natively have a command to do that. Here are the possible key types and combo key types.
- TPM (Trusted Platform Module)
Uses the system’s TPM to encrypt the VMK. Ideal for OS volumes.
- TPM + PIN
Adds a user-supplied PIN to TPM authentication for enhanced security.
- TPM + Startup Key
Requires a USB device with a startup key in addition to TPM.
- TPM + PIN + Startup Key
Combines all three for maximum protection on OS volumes.
- Startup Key Only
Stores the key on a USB device—useful for systems without TPM.
- Password
User-defined password, commonly used for removable drives.
- Recovery Password
A 48-digit numeric password generated during setup, used for recovery scenarios.
- Recovery Key
A key file stored on a USB device, also used for recovery.
- Auto Unlock
Automatically unlocks data drives when the OS drive is unlocked.
- SID Protector (ADAccountOrGroup)
Unlocks data drives based on Active Directory user or group login.
- Network Unlock
Unlocks OS drives automatically when connected to a trusted network—great for remote management.
- Recovery Agent Certificate
Used to unlock data drives via a certificate stored locally.
Combining Protectors
You can add multiple protectors to a single volume. For example:
| Combination | Use Case |
| TPM + PIN | Secure OS volume with user authentication |
| TPM + Startup Key | Adds physical token requirement |
| TPM + PIN + Startup Key | Highest security for OS volumes |
| Password + Recovery Key | Removable drives with fallback |
| SID + Auto Unlock | Seamless access for data drives in domain environments |
So for us to do this I would need to create a custom command in the plugin that would add each key individually. Not a impossible problem, just not able to do it inside of BitLocker as a single command. I would need to break it down into multiple commands.
- TPM (Trusted Platform Module)
Uses the system’s TPM to encrypt the VMK. Ideal for OS volumes.
- TPM + PIN
Adds a user-supplied PIN to TPM authentication for enhanced security.
- TPM + Startup Key
Requires a USB device with a startup key in addition to TPM.
- TPM + PIN + Startup Key
Combines all three for maximum protection on OS volumes.
- Startup Key Only
Stores the key on a USB device—useful for systems without TPM.
- Password
User-defined password, commonly used for removable drives.
- Recovery Password
A 48-digit numeric password generated during setup, used for recovery scenarios.
- Recovery Key
A key file stored on a USB device, also used for recovery.
- Auto Unlock
Automatically unlocks data drives when the OS drive is unlocked.
- SID Protector (ADAccountOrGroup)
Unlocks data drives based on Active Directory user or group login.
- Network Unlock
Unlocks OS drives automatically when connected to a trusted network—great for remote management.
- Recovery Agent Certificate
Used to unlock data drives via a certificate stored locally.
Combining ProtectorsYou can add multiple protectors to a single volume. For example:
| Combination | Use Case |
| TPM + PIN | Secure OS volume with user authentication |
| TPM + Startup Key | Adds physical token requirement |
| TPM + PIN + Startup Key | Highest security for OS volumes |
| Password + Recovery Key | Removable drives with fallback |
| SID + Auto Unlock | Seamless access for data drives in domain environments |
So for us to do this I would need to create a custom command in the plugin that would add each key individually. Not a impossible problem, just not able to do it inside of BitLocker as a single command. I would need to break it down into multiple commands.