If I stop using BitLocker, is it better to suspend it or decrypt the drive? And what is the difference between...
a BitLocker recovery password and a BitLocker recovery key?
These are two different BitLocker recovery features in Windows Server 2012 -- Suspend and Decrypt -- and they are used differently.
The Suspend option is used in conjunction with trusted platform module (TPM) capabilities. This keeps the disk encrypted but exposes the BitLocker key, which allows technicians to retrofit or upgrade the server without having to decrypt and re-encrypt the drives. Once the system hardware is changed, a new hardware "fingerprint" is taken and the BitLocker key is changed accordingly. Suspend can be a huge timesaver when system hardware changes must occur.
If you want to stop using BitLocker, it's best to turn the feature off using the Decrypt option. This will fully decrypt all data on the drive and effectively disable BitLocker.
Keep in mind that some software upgrades could require technicians to suspend or decrypt the drive before installation. Otherwise, software updates might cause unexpected changes to the system "fingerprint," resulting in disk access problems. It's best to review any upgrade notes regarding BitLocker interaction before attempting software upgrades on an encrypted server.
To answer your second question, a recovery password and a recovery key are one and the same.
When a server is configured for BitLocker, an emergency access method is usually established at the same time. For example, emergency access might be needed if the TPM has problems verifying hardware integrity and the system refuses to boot. If this occurs, a technician must provide a recovery key (sometimes called a "recovery password") to access the encrypted drive. A recovery key is a 48-digit code typed into the BitLocker recovery dialog or read from a USB flash drive, restoring access to the encrypted disk and the server.
Encryption is increasingly important as organizations opt to protect their sensitive data. Windows Server 2012 and Windows 8 administrators can deploy BitLocker to provide that protection, encrypting the computer's local disk as-needed and even binding the encrypted data to a unique piece of hardware. IT administrators will need to understand the hardware and software requirements for BitLocker, recognize the performance overhead that encryption imposes and plan for encryption key recovery contingencies.
Dig Deeper on Windows Server troubleshooting
Related Q&A from Stephen J. Bigelow
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading
Senior technology editor Stephen Bigelow breaks down how AWS Storage Gateway can trip up users' hybrid cloud strategies. Beware these issues with ... Continue Reading
There is a small list of enterprise-class deployments and integrations known to run on VMware Cloud on AWS, but not all complex workloads are suited ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.