I am automating the installation of BitLocker. As part of this task, a Recovery Password is being added.Instead of using the auto-generated password I want to provide my own password.However, not all password combinations seem to be valid.
This command line fails
Add-BitLockerKeyProtector -MountPoint D -RecoveryPasswordProtector -RecoveryPassword '123456-123456-123456-123456-123456-123456-123456-123456'
while this command line works fine
Add-BitLockerKeyProtector -MountPoint D -RecoveryPasswordProtector -RecoveryPassword '531058-303050-716078-383614-460922-106975-083446-139161'
The error message I get is the following one
Add-RecoveryPasswordProtectorInternal : The format of the recovery password provided is invalid.
BitLocker recovery passwords are 48 digits.
Verify that the recovery password is in the correct format and then try again.
(Exception from HRESULT: 0x80310035) At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2052 char:31
+ ... $Result = Add-RecoveryPasswordProtectorInternal $BitLockerVolumeInt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-RecoveryPasswordProtectorInternal
Does anybody know what makes such a password valid?
Each block of 6 digits must be exactly divisible by 11. There is a System Integrity Team Blog entry that explains why:
When we create the recovery password, we start with a random 128-bit key, which we split it into eight groups of 16 bits. Each group contains 16 bits of entropy, and can be written as a value between 0 and (2^16 - 1). We take this value and multiply it by 11. The range of values this now describes is from 0 to 11 x (2^16 - 1) (0 thru 720885). Notice that only 1 in 11 of the output are now 'valid' values. We pad with zeros, and write this as a six-digit value. This value still contains the original 16 bits of entropy, but now distributed over a larger range. We repeat the process for the other seven blocks, producing a 48 digit password.
When a user is entering the key, we accept it 6 digits at a time, and then check to see if the number they just entered is exactly divisible by 11. If it is then we know it might form part of the key - if it doesn't then we know for sure it isn't a valid block. This guards against swapped digits, mis-entered numbers, etc, and we can safely report the entry error to the user.
Source BitLocker recovery password details – System Integrity Team Blog
User contributions licensed under CC BY-SA 3.0