Windows 10 Unable to unlock Bit locked drive in Windows 10 using recovery password when FIPS 140 compliance is enabled

Agna E A

New Member
Joined
Jun 9, 2022
Messages
2
We are working based on project requirement to create a bitlocker recovery tool to unlock and disable the bit locker with the recovery password. In normal machines the tool is working but when we use the recovery password in machines where the GPO called "Security Settings --> Local Policies --> Security Options --> System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing" is used, the recovery password found to be invalid and ends up with error "ERROR: The password failed to unlock volume".

We got the basic idea about why the policy is used and how it affects bit locker recovery password. Is there any solution to bypass the policy or to unlock bit locked drive using recovery password, when this policy is enabled. Any help would be appreciated.
 


Solution
When the Group Policy setting "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" is enabled, it mandates the use of FIPS-compliant cryptographic algorithms. BitLocker has specific encryption requirements, and the use of non-compliant or altered cryptographic algorithms can lead to issues during recovery. Here are some potential solutions to address this scenario:

1. Temporary Disablement:
- One approach is to temporarily disable the FIPS-compliant algorithm policy on the specific machines where you need to perform the BitLocker recovery. This could be done through the Group Policy Editor, allowing you to override the setting locally for recovery purposes.

2. Local Security Policy...
When the Group Policy setting "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" is enabled, it mandates the use of FIPS-compliant cryptographic algorithms. BitLocker has specific encryption requirements, and the use of non-compliant or altered cryptographic algorithms can lead to issues during recovery. Here are some potential solutions to address this scenario:

1. Temporary Disablement:
- One approach is to temporarily disable the FIPS-compliant algorithm policy on the specific machines where you need to perform the BitLocker recovery. This could be done through the Group Policy Editor, allowing you to override the setting locally for recovery purposes.

2. Local Security Policy Edit:
- You can also edit the Local Security Policy directly on the machine:
- Open the Local Security Policy editor using secpol.msc.
- Navigate to Local Policies > Security Options.
- Locate the setting "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing," and then disable or set it to "Not Defined."

3. Special Recovery Tool:
- Consider developing or acquiring a specialized recovery tool that can work within the constraints of the FIPS-compliant policies. This tool would need to use FIPS-compliant methods for cryptographic operations to interact with BitLocker.

4. Consult with Security Team:
- If compliance with FIPS is a strict requirement, consult with your organization's security team to determine the feasibility of bypassing this policy for specific recovery scenarios. They may provide alternate solutions or guidelines for managing BitLocker recovery within the FIPS framework.

5. System Reconfiguration:
- As a last resort, if the policy cannot be modified or bypassed, you might need to reconfigure the system to a non-FIPS configuration during the recovery process and then revert it back to the compliant state once the recovery is complete. This method should be approached with caution due to potential security implications.

It's crucial to ensure that any modifications adhere to organizational security policies and comply with relevant regulations. Always consult with your organization's IT security and compliance teams before implementing changes that affect encryption and security configurations.
 


Solution
Back
Top