[SOLVED] Can I read data from a TPM-enabled Bitlocker-encrypted drive on other devices?

Status
Not open for further replies.
Jun 14, 2020
127
20
4,595
Hi all,

I recently encrypted two internal storage drives with Bitlocker (with TPM enabled). I live in a low-risk environment but I wanted that extra peace of mind. For now, I only have one external backup drive but I'm saving some cash on the side to get a second redundant drive and I'm waiting until then to try encrypting this current drive (I'll encrypt the redundant drive before I clone my current drive), just so that, in the unlikely chance that something goes wrong, I won't lose my backups.

I haven't ever meddled with Bitlocker or encryption like this before, so my question is this...

If my internal drives are encrypted via TPM-enabled Bitlocker, does that mean that I'll only be able to access my backups on this PC?

I did a search to see if I could find any info on this and it SOUNDS like I don't have anything to worry about but I figured I'd ask directly to make sure for peace of mind. Yes, I have my Bitlocker recovery key backed up (in several different ways), but I don't want to risk losing all of my data if all of my new backups can only be read on my existing PC due to the TPM chip.

Also, if those new backups will only be readable on my current PC, what options do I have to make it so I could use those backups if my PC decided to fail on me at some point?

Thanks in advance for any replies/explanations/advice! Please let me know if you need me to clarify anything!

SPECS:
  • OS: Windows 10 Pro (64-bit), ver 21H2
  • MOBO: ASUS Prime B450M-A II
  • CPU: AMD Ryzen 5 5600g
  • RAM: 16gb (2x8gb) TEAMGROUP T-Force Vulcan Z DDR4
  • GPU: MSI GeForce GTX 980
  • STORAGE: 480gb KINGSTON SA400S37480G SATA SSD (system drive), 2tb Seagate ST2000DM008-2FR102 SATA HDD
 
Solution
As long as you have the recovery key you can unlock a Bitlocker encrypted drive on another computer. You DID make the recovery USB drive AND write down the recovery key for each of the volume/s in question, right?

AND, always keep an unencrypted backup locked away. It's very, very, very rare but I have encountered volumes that reject a known good recovery key, thus rendering the volume permanently inaccessible.

Colif

Win 11 Master
Moderator
BitLocker drive encryption needs to be suspended prior to making any of the following changes:

  • OS Upgrade/Installing additional OS
  • Hardware Change (e.g. Installing PCI cards)
  • Firmware updates
  • Non-Microsoft application updates that modify boot components.
BitLocker encrypted devices use the TPM chip to verify the integrity of early boot components and boot configuration data.

This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original computer.
https://www.ucl.ac.uk/isd/services/...uters/hard-drive-encryption-using-bitlocker-0

BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way.
link
if you boot off a USB the drive contents aren't visible. Only if you boot normally will you have access to files.

I think the key is the thing that lets you access files in another PC. I don't think TPM stops that from working, its more there to stop people booting from USB and by passing security
https://community.spiceworks.com/topic/2288254-accessing-bitlocker-hdd-after-dead-laptop

TPM holds the key but you have it as well, there are ways to enter it manually to unlock the files.
 
Last edited:
  • Like
Reactions: johnbl
As long as you have the recovery key you can unlock a Bitlocker encrypted drive on another computer. You DID make the recovery USB drive AND write down the recovery key for each of the volume/s in question, right?

AND, always keep an unencrypted backup locked away. It's very, very, very rare but I have encountered volumes that reject a known good recovery key, thus rendering the volume permanently inaccessible.
 
Solution
Jun 14, 2020
127
20
4,595
I appreciate all the responses. I will be testing this on my laptop (which is unencrypted at the moment) so I'll be able to know whether or not it's going to be a problem. If it will be a problem, I suppose I could unencrypt my PC (as that's a lot less likely to be stolen) and just keep the backup drives encrypted but I'd rather have everything secure as possible.

I didn't do a USB drive but I have the recovery key written down and stored in various locations (on site and off site) for redundancy. Should I also do a USB version then?

Also, as for unencrypted backups, what do you suggest for security's sake? I can't afford to buy a new safe to keep it locked up, sadly, and my current one doesn't exactly have room to put it in there but I also feel nervous leaving unencrypted backups in the open.
 
I appreciate all the responses. I will be testing this on my laptop (which is unencrypted at the moment) so I'll be able to know whether or not it's going to be a problem. If it will be a problem, I suppose I could unencrypt my PC (as that's a lot less likely to be stolen) and just keep the backup drives encrypted but I'd rather have everything secure as possible.

I didn't do a USB drive but I have the recovery key written down and stored in various locations (on site and off site) for redundancy. Should I also do a USB version then?

Also, as for unencrypted backups, what do you suggest for security's sake? I can't afford to buy a new safe to keep it locked up, sadly, and my current one doesn't exactly have room to put it in there but I also feel nervous leaving unencrypted backups in the open.

Bank safety deposit box. And backups don't take up much space, it's not like you are printing it out on paper. A backup drive or cloud storage is small or 0 space, and pretty cheap.
 
Jun 14, 2020
127
20
4,595
Bank safety deposit box. And backups don't take up much space, it's not like you are printing it out on paper. A backup drive or cloud storage is small or 0 space, and pretty cheap.

I'll have to look into how much that'll be. I'm not really able to afford long-term subscription-based stuff and I don't have a huge amount of trust in banks but if that's the smart thing to do, I'll definitely look into it.
 

USAFRet

Titan
Moderator
I'll have to look into how much that'll be. I'm not really able to afford long-term subscription-based stuff and I don't have a huge amount of trust in banks but if that's the smart thing to do, I'll definitely look into it.
Cost aside, and data that exists on only one drive can be said to not exist at all.

This goes double for encrypted data.

Backups, and know how to recover.
 
Jun 14, 2020
127
20
4,595
I plan to have a redundant backup as I mentioned but I have to save for that. I don't think I can afford to do the bank box unless my bank has it at a really affordable rate.

I use Iperius as my backup software and I used it to transfer most of my old PC's data to this new PC when I built it in December, my main concern is just centered around the encryption aspect.
 

USAFRet

Titan
Moderator
my main concern is just centered around the encryption aspect.
As with all storage things, try it before you need it.

Will it work as you surmise?
Probably.

But this is the kind of thing that YOU have to test and verify with your equipment and your procedures, before you need it in the heat of battle.


As far as your backup and "but I have to save for that "....
Many people plan to start doing that in the future. Many of them need it before the future happens.
 
Jun 14, 2020
127
20
4,595
As with all storage things, try it before you need it.

Will it work as you surmise?
Probably.

But this is the kind of thing that YOU have to test and verify with your equipment and your procedures, before you need it in the heat of battle.


As far as your backup and "but I have to save for that "....
Many people plan to start doing that in the future. Many of them need it before the future happens.

As I said, I have a full backup, I just don't have a redundant backup yet. It's something I'm working towards. If I had the money to spare, I'd order a second and maybe even a third drive along with a larger media drive for backups of my DRM-free games, and also get a subscription for MEGA to do cloud backups for non-sensitive files. Sadly, the money is not there for me right now so the best I could even potentially swing is one more drive for a redundant backup.

And yes, I agree that I should test it before I need it. I'm planning to do so in the next day or two, been kinda busy these past few days.
 
Jun 14, 2020
127
20
4,595
Just a quick update, I believe this article is basically confirming what y'all have been saying about how the recovery key would work if something went weird and stayed encrypted after transfer to an unencrypted system/drive.

https://docs.microsoft.com/en-us/pr...nsert-the-hard-disk-into-a-different-computer

That said, I tested it with a USB drive by making two copies of a test text file. One was cut-pasted onto an unencrypted USB drive, while the other is copy-pasted onto the drive. Said unencrypted USB stick was then plugged into my unencrypted laptop and I tested both files. They were both fully readable on my laptop.

I kinda figured this must be the case for multiple reasons, not the least of which being the fact that I was able to access synced files from my desktop on my unencrypted laptop but I just wanted to be sure...

I would like to mark a reply as the best answer but I'm not sure which, multiple people offered great answers!
 
Status
Not open for further replies.