If I stop using BitLocker, is it better to suspend it or decrypt the drive? And what is the difference between...
a BitLocker recovery password and a BitLocker recovery key?
These are two different BitLocker recovery features in Windows Server 2012 -- Suspend and Decrypt -- and they are used differently.
The Suspend option is used in conjunction with trusted platform module (TPM) capabilities. This keeps the disk encrypted but exposes the BitLocker key, which allows technicians to retrofit or upgrade the server without having to decrypt and re-encrypt the drives. Once the system hardware is changed, a new hardware "fingerprint" is taken and the BitLocker key is changed accordingly. Suspend can be a huge timesaver when system hardware changes must occur.
If you want to stop using BitLocker, it's best to turn the feature off using the Decrypt option. This will fully decrypt all data on the drive and effectively disable BitLocker.
Keep in mind that some software upgrades could require technicians to suspend or decrypt the drive before installation. Otherwise, software updates might cause unexpected changes to the system "fingerprint," resulting in disk access problems. It's best to review any upgrade notes regarding BitLocker interaction before attempting software upgrades on an encrypted server.
To answer your second question, a recovery password and a recovery key are one and the same.
When a server is configured for BitLocker, an emergency access method is usually established at the same time. For example, emergency access might be needed if the TPM has problems verifying hardware integrity and the system refuses to boot. If this occurs, a technician must provide a recovery key (sometimes called a "recovery password") to access the encrypted drive. A recovery key is a 48-digit code typed into the BitLocker recovery dialog or read from a USB flash drive, restoring access to the encrypted disk and the server.
Encryption is increasingly important as organizations opt to protect their sensitive data. Windows Server 2012 and Windows 8 administrators can deploy BitLocker to provide that protection, encrypting the computer's local disk as-needed and even binding the encrypted data to a unique piece of hardware. IT administrators will need to understand the hardware and software requirements for BitLocker, recognize the performance overhead that encryption imposes and plan for encryption key recovery contingencies.
Dig Deeper on Windows Server and Network Security
Related Q&A from Stephen J. Bigelow
Although Windows Server has a built-in backup tool, third-party tools offer useful capabilities, such as reporting and alerting features, to help ...continue reading
I need to back up Active Directory, but I'm not sure which method to use. What are my options for a painless backup and restoration effort?continue reading
Should data centers use SAS- or PCIe-based on-server flash devices? What options are out there for SSDs on servers?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.