Reshuffle bitlocker recovery keys

Question

Hi

How do i reshuffle recovery keys every certain number of days to ensure that the keys are periodically changed and updated for security purposes.

Answer 1

Hi,

To reshuffle BitLocker recovery keys periodically, you can use a combination of PowerShell scripts and Task Scheduler in Windows.

Here’s a step-by-step guide to achieve this:

Step 1: Create a PowerShell Script to Rotate BitLocker Recovery Keys

1. Open a text editor and create a new PowerShell script file (e.g., RotateBitLockerKeys.ps1).
2. Add the following script to the file:

# Get all BitLocker-enabled drives
$bitlockerVolumes = Get-BitLockerVolume

foreach ($volume in $bitlockerVolumes) {
    # Backup the current recovery key to Active Directory (if applicable)
    Backup-BitLockerKeyProtector -MountPoint $volume.MountPoint -KeyProtectorId $volume.KeyProtector[0].KeyProtectorId

    # Add a new recovery key protector
    $newRecoveryKey = Add-BitLockerKeyProtector -MountPoint $volume.MountPoint -RecoveryPasswordProtector

    # Remove the old recovery key protector
    Remove-BitLockerKeyProtector -MountPoint $volume.MountPoint -KeyProtectorId $volume.KeyProtector[0].KeyProtectorId

    # Output the new recovery key
    Write-Output "New recovery key for $($volume.MountPoint): $($newRecoveryKey.RecoveryPassword)"
}

Step 2: Save the Script

Save the script with the name RotateBitLockerKeys.ps1.

Step 3: Create a Scheduled Task to Run the Script Periodically

1. Open Task Scheduler.
2. Click on Create Task in the right-hand pane.
3. In the General tab, provide a name for the task (e.g., "Rotate BitLocker Recovery Keys").
4. In the Triggers tab, click New to create a new trigger. Set the trigger to run at your desired interval (e.g., daily, weekly).
5. In the Actions tab, click New to create a new action. Set the action to start a program and enter the following in the Program/script field:

   powershell.exe

In the Add arguments (optional) field, enter the path to your script:

   -File "C:\Path\To\RotateBitLockerKeys.ps1"

1. In the Conditions and Settings tabs, configure any additional options as needed.
2. Click OK to create the task.

Step 4: Test the Script

Run the script manually to ensure it works correctly before relying on the scheduled task.

Answer 2

@Anonymous Why would you want this? truly, seeing "for security purposes" should say it all, but looking closer, you might not want to do this: To benefit from a change, you would fear that without changing, breaking in gets easier. Does it? No, the key is still as strong as before. If someone wanted to brute force the key, he would be in the position to have the drive in front of him and use cracking tools that use brute force. Would someone do this? Possibly yes. When could someone do this? Only when the drive is either dismounted or when he has access to a full memory dump (and for the latter he's required to be local admin already, making this attack futile). So look at the case that someone uses brute force on a dismounted drive. What would stop him? Can you change the recovery password on a dismounted drive? No. So the only scenario, where a key shuffle makes any sense is if you fear an attacker that has physical access to the drive and dismounts it from time to time to attack it and remounts it again in between because his brute forcing didn't come to an end, yet. Is this scenario realistic? No.

Still: if you insist on doing it, take the script from https://www.windowspro.de/wolfgang-sommergut/wiederherstellungsschluessel-fuer-bitlocker-erneuern-alte-keys-aus-ad-loeschen