4. How to Manage BitLocker Keys on a Local Computer
To manage keys on the local computer, follow these
steps:
-
Open Control Panel and click the System And Security link.
Under BitLocker Drive Encryption, click the Manage BitLocker
link.
-
In the BitLocker Drive Encryption window, click Manage
BitLocker.
Using this tool, you can perform the following actions (which
vary depending on the authentication type chosen):
-
Save Or Print Recovery Key
Again Provides the following options:
-
Duplicate The Startup Key
When you use a USB startup key for authentication, this allows
you to create a second USB startup key with an identical
key.
-
Reset The PIN When you use
a PIN for authentication, this allows you to change the
PIN.
To manage BitLocker from an elevated command prompt or from a
remote computer, use the Manage-bde tool, which replaces the
Manage-bde.wsf script in Windows Vista. For example, to view the
current BitLocker configuration, run manage-bde
–status. The following example demonstrates the
configuration of a computer with one decrypted data drive and one
encrypted system drive:
manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume E: [Flash]
[Data Volume]
Size: 0.12 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Volume C: []
[OS Volume]
Size: 126.90 GB
BitLocker Version: Windows 7
Conversion Status: Fully Encrypted
Percentage Encrypted: 100%
Encryption Method: AES 128 with Diffuser
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors:
External Key
Numerical Password
For detailed information about how to use Manage-bde, run
manage-bde -? at a command prompt.
5. How to Recover Data Protected by BitLocker
When you use BitLocker to protect the system partition, the
partition will be locked if the encryption key is not available,
causing BitLocker to enter recovery mode. Likely causes of the encryption key not
being available include:
-
One of the boot files is modified.
-
BIOS is modified and the TPM disabled.
-
The TPM is cleared.
-
An attempt is made to boot without the TPM, PIN, or USB
key being available.
-
The BitLocker-encrypted disk is moved to a new
computer.
After the drive is locked, you can boot only to recovery mode, as shown in Figure 3. On most
keyboards, you can use the standard number keys from 0–9. However,
on some non-English keyboards, you need to use the function keys by
pressing F1 for the digit 1, F2 for the digit 2, and so on, with F10
being the digit 0.
If you have the recovery key on a USB flash drive, you can
insert the recovery key and press the Esc key to restart the
computer. BitLocker reads the recovery key automatically during
startup.
If you cancel out of recovery, the Windows Boot Manager might
provide instructions for using Startup Repair to fix a startup
problem automatically. Do not follow these instructions; Startup
Repair cannot access the encrypted volume. Instead, restart the
computer and enter the recovery key.
As a last resort, you can use the BitLocker Repair Tool
(Repair-bde) to help recover data from an encrypted volume. The
BitLocker Repair Tool was a separate download for earlier versions
of Windows, but it is included in Windows 7 and Windows Server 2008
R2.
You can use the BitLocker Repair Tool to copy the decrypted
contents of an encrypted volume to a different volume. For example,
if you have used BitLocker to protect the D:\ data volume and the
volume has become corrupted, you might be able to use the BitLocker
Repair Tool to decrypt the contents and copy them to the E:\ volume,
if you can provide a recovery key or password. The following command would attempt
this:
repair-bde D: E: -RecoveryPassword 111111-222222-333333-444444-5555555-6666666-7777777-
888888
You can also attempt to repair a volume without copying the
data by using the –NoOutputVolume
parameter, as the following command demonstrates:
repair-bde C: -NoOutputVolume -RecoveryKey D:\RecoveryKey.bek
If the system volume becomes corrupted, you can start Windows
7 Setup from the Windows 7 DVD, start the repair tools, and open a
command prompt to run the BitLocker Repair Tool. Alternatively, you
could attempt to mount the volume to a different computer and run
the BitLocker Repair Tool.
Note
BACKING UP ENCRYPTED
DRIVES
Because it can be difficult or
impossible to recover a corrupted BitLocker-protected drive, it's
especially important to back up BitLocker-protected drives
regularly. Note, however, that your backups might not be encrypted
by default. This applies to system image backups, as well.
Although system image backups make a copy of your entire disk,
BitLocker functions at a lower level than system image backups.
Therefore, when system image backup reads the disk, it reads the
BitLocker-decrypted version of the disk.
