The recovery password for Windows BitLocker is not FIPS-compliant in Windows Vista and in Windows Server 2008

In Windows Vista and in Windows Server 2008, the recovery password for Windows BitLocker Drive Encryption is not Federal Information Processing Standards (FIPS)-compliant. Therefore, you may encounter the following issues when the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting is enabled.


Issue 1

When you manually add a recovery password at a command prompt, you receive the following error message:

The numerical password was not added. The FIPS Group Policy setting on the computer prevents recovery password creation.


Issue 2

When you try to encrypt a drive on which BitLocker recovery passwords are required, you cannot encrypt the drive as expected. Additionally, you receive the following error message:

Cannot Encrypt Disk. Policy requires a password which is not allowed with the current security policy about use of FIPS algorithms.


Issue 3

When you encrypt a drive, a recovery key is created, but no recovery password is created as a key protector.


Issue 4

A recovery password is not archived in the Active Directory directory service.


MORE INFORMATION

A BitLocker recovery password has 48 digits. This password is not FIPS-compliant. Therefore, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, you cannot create or unlock a drive by using a recovery password. However, a BitLocker recovery key is FIPS-compliant because it has additional entropy. Therefore, a recovery key is not affected by this Group Policy setting.

To disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, follow these steps:

1. Click Start, type gpedit.msc in the Start Search box, and then click OK.

Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.

2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
3. In the details pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click Disable, and then, click OK.

Note This Group Policy setting may be configured by an administrator to be automatically applied from a domain controller. In this situation, you cannot disable this setting locally.



APPLIES TO
Windows Vista Enterprise 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Enterprise
Windows Vista Ultimate
Windows Server 2008, Datacenter
Windows Server 2008 for Itanium-Based Systems

——————————————–

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image