If I stop using BitLocker, is it better to suspend it or decrypt the drive? And what is the difference between...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
a BitLocker recovery password and a BitLocker recovery key?
These are two different BitLocker recovery features in Windows Server 2012 -- Suspend and Decrypt -- and they are used differently.
The Suspend option is used in conjunction with trusted platform module (TPM) capabilities. This keeps the disk encrypted but exposes the BitLocker key, which allows technicians to retrofit or upgrade the server without having to decrypt and re-encrypt the drives. Once the system hardware is changed, a new hardware "fingerprint" is taken and the BitLocker key is changed accordingly. Suspend can be a huge timesaver when system hardware changes must occur.
If you want to stop using BitLocker, it's best to turn the feature off using the Decrypt option. This will fully decrypt all data on the drive and effectively disable BitLocker.
Keep in mind that some software upgrades could require technicians to suspend or decrypt the drive before installation. Otherwise, software updates might cause unexpected changes to the system "fingerprint," resulting in disk access problems. It's best to review any upgrade notes regarding BitLocker interaction before attempting software upgrades on an encrypted server.
To answer your second question, a recovery password and a recovery key are one and the same.
When a server is configured for BitLocker, an emergency access method is usually established at the same time. For example, emergency access might be needed if the TPM has problems verifying hardware integrity and the system refuses to boot. If this occurs, a technician must provide a recovery key (sometimes called a "recovery password") to access the encrypted drive. A recovery key is a 48-digit code typed into the BitLocker recovery dialog or read from a USB flash drive, restoring access to the encrypted disk and the server.
Encryption is increasingly important as organizations opt to protect their sensitive data. Windows Server 2012 and Windows 8 administrators can deploy BitLocker to provide that protection, encrypting the computer's local disk as-needed and even binding the encrypted data to a unique piece of hardware. IT administrators will need to understand the hardware and software requirements for BitLocker, recognize the performance overhead that encryption imposes and plan for encryption key recovery contingencies.
Dig Deeper on Windows Server and Network Security
Related Q&A from Stephen J. Bigelow
For Azure Premium Storage, are users billed by how much storage capacity they actually use or how much they reserve or allocate?continue reading
The Windows Server Update Services utility helps to update numerous systems, but it can require significant bandwidth. What are good ways to reduce ...continue reading
Containers have rapidly come into focus as an option for deploying applications, but they have limitations and are fundamentally different from VMs.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.