Article ID: 947249 - Last Review: January 24, 2008 - Revision: 1.2

The recovery password for Windows BitLocker is not FIPS-compliant in Windows Vista and in Windows Server 2008

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

On This Page

Expand all | Collapse all

INTRODUCTION

In Windows Vista and in Windows Server 2008, the recovery password for Windows BitLocker Drive Encryption is not Federal Information Processing Standards (FIPS)-compliant. Therefore, you may encounter the following issues when the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting is enabled.
Back to the top

Issue 1

When you manually add a recovery password at a command prompt, you receive the following error message:
The numerical password was not added. The FIPS Group Policy setting on the computer prevents recovery password creation.
Back to the top

Issue 2

When you try to encrypt a drive on which BitLocker recovery passwords are required, you cannot encrypt the drive as expected. Additionally, you receive the following error message:
Cannot Encrypt Disk. Policy requires a password which is not allowed with the current security policy about use of FIPS algorithms.
Back to the top

Issue 3

When you encrypt a drive, a recovery key is created, but no recovery password is created as a key protector.
Back to the top

Issue 4

A recovery password is not archived in the Active Directory directory service.
Back to the top

MORE INFORMATION

A BitLocker recovery password has 48 digits. This password is not FIPS-compliant. Therefore, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, you cannot create or unlock a drive by using a recovery password. However, a BitLocker recovery key is FIPS-compliant because it has additional entropy. Therefore, a recovery key is not affected by this Group Policy setting.

To disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, follow these steps:
  1. Click Start, type gpedit.msc in the Start Search box, and then click OK.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  3. In the details pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click Disable, and then, click OK.

    Note This Group Policy setting may be configured by an administrator to be automatically applied from a domain controller. In this situation, you cannot disable this setting locally.
Back to the top
APPLIES TO
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard
Back to the top
Keywords: 
kbexpertiseadvanced kbinfo KB947249
Back to the top