If I stop using BitLocker, is it better to suspend it or decrypt the drive? And what is the difference between...
a BitLocker recovery password and a BitLocker recovery key?
These are two different BitLocker recovery features in Windows Server 2012 -- Suspend and Decrypt -- and they are used differently.
The Suspend option is used in conjunction with trusted platform module (TPM) capabilities. This keeps the disk encrypted but exposes the BitLocker key, which allows technicians to retrofit or upgrade the server without having to decrypt and re-encrypt the drives. Once the system hardware is changed, a new hardware "fingerprint" is taken and the BitLocker key is changed accordingly. Suspend can be a huge timesaver when system hardware changes must occur.
If you want to stop using BitLocker, it's best to turn the feature off using the Decrypt option. This will fully decrypt all data on the drive and effectively disable BitLocker.
Keep in mind that some software upgrades could require technicians to suspend or decrypt the drive before installation. Otherwise, software updates might cause unexpected changes to the system "fingerprint," resulting in disk access problems. It's best to review any upgrade notes regarding BitLocker interaction before attempting software upgrades on an encrypted server.
To answer your second question, a recovery password and a recovery key are one and the same.
When a server is configured for BitLocker, an emergency access method is usually established at the same time. For example, emergency access might be needed if the TPM has problems verifying hardware integrity and the system refuses to boot. If this occurs, a technician must provide a recovery key (sometimes called a "recovery password") to access the encrypted drive. A recovery key is a 48-digit code typed into the BitLocker recovery dialog or read from a USB flash drive, restoring access to the encrypted disk and the server.
Encryption is increasingly important as organizations opt to protect their sensitive data. Windows Server 2012 and Windows 8 administrators can deploy BitLocker to provide that protection, encrypting the computer's local disk as-needed and even binding the encrypted data to a unique piece of hardware. IT administrators will need to understand the hardware and software requirements for BitLocker, recognize the performance overhead that encryption imposes and plan for encryption key recovery contingencies.
Dig Deeper on Windows Server and Network Security
Related Q&A from Stephen J. Bigelow
In this round of Ask the Expert, Stephen Bigelow discusses the requirements of a vSphere 6 Web Client deployment.continue reading
There are nine Exchange 2016 mailbox properties that administrators can configure, such as a user's email address. Admins can also specify custom ...continue reading
Our team carefully selected our EBS volumes, but our application performance is still slow. How can we improve Amazon EBS performance?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.