MS Windows Recovery screen (or the OS installer disk) might ask you for the recovery key only, but you can unlock the drive manually with the password as well! I had to do that a week ago after a disk clone gone wrong, so in case someone steps on the same issue (this here is tested with Win 10, but it should be just the same for W11 and Server):
1. Boot the affected machine from the Windows installer disk
2. Use "Repair options"
3. Click through to the option to spawn a shell
4. It will now ask you for unlocking the disk with a recovery key. SKIP THAT.
5. In the shell, type: "manage-bde -unlock C: -Password", enter the password
6. The drive is unlocked, now go and execute whatever recovery you have to do.
> Can you even get the secret from the TPM in recovery mode?
Given that you can (relatively trivially) sniff the TPM communication to obtain the key [1], yes it should be possible. Can't verify it though as I've long ago switched to Mac for my primary driver and the old cheesegrater Mac I use as a gaming rig doesn't have a hardware TPM chip.
yea I don't need an attack on a weak system, I mean the authorized legal normal way of unlocking BL from Windows when you have the right credentials. Windows might not be able to unlock BitLocker with just your password.
I don't know how common it is to disable TPM-stored keys in companies, but on personal licenses, you need group policy to even allow that.
Although this is moot if Windows recovery mode is accepted as the right system by the TPM. But aren't permissions/privileges a bit neutered in that mode?
1. Boot the affected machine from the Windows installer disk
2. Use "Repair options"
3. Click through to the option to spawn a shell
4. It will now ask you for unlocking the disk with a recovery key. SKIP THAT.
5. In the shell, type: "manage-bde -unlock C: -Password", enter the password
6. The drive is unlocked, now go and execute whatever recovery you have to do.
Good luck.