While I have had zero problems with Vista or BitLocker in the three weeks I have been using BitLocker, a coworker was not so lucky. After I initially setup a Dell D620 for him, he added a 3rd party anti-virus program that immediately blue-screened his system. He then became our BitLocker-system-recovery-Guinea-pig.

It order to use safe mode and disable the offending application, BitLocker required him to provide his recovery keys. I chose to store the keys in a TrueCrypt volume on his USB drive. Decrypting the keys to make them available to BitLocker required access to another machine. Once he moved the necessary files from the TrueCrypt volume to the root of the USB disk, he was able to go into safe mode and disable the software without any other problems.

I do not recommend keeping your recovery keys on an unencrypted USB drive unless the drive itself is kept under lock and key. The disadvantage of using TrueCrypt (or any other encryption) to protect the recovery keys is that you must decrypt the files and place them in the root of your USB disk before BitLocker can use them. My next task is to setup a bootable WinPE environment on my USB key so I at least have a chance of decrypting my recovery keys without access to another system.

Tags: microsoft, bitlocker, vista, encryption, winpe