IT tutorials

Windows 7 : BitLocker (part 4) - How to Disable or Remove BitLocker Drive Encryption, Troubleshooting BitLocker Problems

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
1/4/2014 8:41:40 PM

6. How to Disable or Remove BitLocker Drive Encryption

Because BitLocker intercepts the boot process and looks for changes to any of the early boot files, it can cause problems in the following nonattack scenarios:

  • Upgrading or replacing the motherboard or TPM

  • Installing a new operating system that changes the master boot record or the boot manager

  • Moving a BitLocker-encrypted disk to another TPM-enabled computer

  • Repartitioning the hard disk

  • Updating the BIOS

  • Third-party updates that occur outside the operating system (such as hardware firmware updates)

To avoid entering BitLocker recovery mode, you can disable BitLocker temporarily, which allows you to change the TPM and upgrade the operating system. When you re-enable BitLocker, the same encryption keys will be used. You can also choose to decrypt the BitLocker-protected volume, which will completely remove BitLocker protection. You can re-enable BitLocker only by repeating the process to create new keys and reencrypt the volume.

To disable BitLocker temporarily or decrypt the BitLocker-protected volume permanently, perform these steps:

  1. Log on to the computer as Administrator.

  2. From Control Panel, open BitLocker Drive Encryption.

  3. Click Suspend Protection for the volume that has BitLocker enabled to use a clear key. To remove BitLocker completely, click Turn Off BitLocker.

7. Troubleshooting BitLocker Problems

Several common BitLocker problems are actually "features." The problems occur because BitLocker is designed to provide protection from specific types of attacks. Often these legitimate uses resemble attacks and cause BitLocker to refuse to allow the computer to start or the BitLocker encryption to prevent you from accessing files:

  • The operating system fails to start in a dual-boot configuration You can dual-boot a computer after enabling BitLocker. However, the second operating system instance must be configured on a different partition. You cannot dual-boot to a second operating system installed on the same partition.

  • The operating system fails to start if you move the hard disk to a different computer BitLocker is designed to protect data from offline attacks, such as attacks that bypass operating system security by connecting the hard disk to a different computer. The new computer will be unable to decrypt the data (even if it has a TPM chip in it). Before moving a BitLocker-encrypted disk to a different computer, disable BitLocker. Re-enable BitLocker after transferring the disk. Alternatively, you can use the recovery key to start Windows after moving the hard disk to the new computer.

  • The data on the hard disk is unreadable using standard disk recovery tools For the same reasons stated in the previous bullet point, BitLocker files are unreadable using standard disk recovery tools. Some day recovery tools that support decrypting BitLocker files using a recovery key might be available. As of the time of this writing, your only opportunity for recovering BitLocker encrypted files is to start Windows 7 using the BitLocker recovery key. For this reason it is very important to regularly back up BitLocker-encrypted volumes.

Practice: Encrypt and Recover Encrypted Data

In this practice, you simulate the recovery of a lost EFS encryption certificate.

EXERCISE 1 Encrypt Data

In this exercise, you encrypt a file. Windows 7 automatically generates an EFS key if you don't already have one.

  1. Log on to a computer running Windows 7 as a standard user.

  2. Create a file named Encrypted.txt in your Documents folder.

  3. Right-click the Encrypted.txt file, and then click Properties.

  4. On the General tab of the Properties dialog box, click Advanced.

  5. Select the Encrypt Contents To Secure Data check box, and then click OK twice.

  6. In the Encryption Warning dialog box, select Encrypt The File Only, and then click OK.

    Notice that Windows Explorer displays the Encrypted.txt file in green.

  7. Double-click the Encrypted.txt file to open it in Microsoft Notepad. Then add the text "This file is encrypted." Save the file and close Notepad.

  8. Double-click the file to verify that you can open it, and then close Notepad again.

Now you have encrypted a file, and no user can access it without your EFS key.

EXERCISE 2 Back Up an EFS Key

In Exercise 1, you encrypted a file. In this exercise, you back up the EFS key that was generated automatically when you encrypted the file. Then you delete the original key and determine whether you can access the EFS-encrypted file. To complete this practice, you must have completed Exercise 1.

  1. Click Start, and then click Control Panel.

  2. Click the User Accounts link twice.

  3. In the left pane, click the Manage Your File Encryption Certificates link.

    The Encrypting File System Wizard appears.

  4. On the Manage Your File Encryption Certificates page, click Next.

  5. On the Select Or Create A File Encryption Certificate page, leave the default certificate (your EFS certificate) selected, and then click Next.

  6. On the Back Up The Certificate And Key page, click Browse and select the Documents folder. For the file name, type EFS-cert-backup.pfx. Click Save, and then type a complex password in the Password and Confirm Password fields. Click Next.

  7. If the Update Your Previously Encrypted Files page appears, leave all check boxes cleared and then click Next.

  8. On the Encrypting File System page, click Close.

  9. In Windows Explorer, open your Documents folder and verify that the EFS certificate was exported correctly.

    Now that you have backed up your EFS key, you can lose it safely. Simulate a corrupted or lost key by following these steps to delete it:

  10. Click Start, type mmc, and then press Enter to open a blank MMC.

  11. Click File, and then click Add/Remove Snap-in.

  12. Select Certificates and click Add.

  13. Select My User Account, and then click Finish.

  14. Click OK.

  15. Expand Certificates – Current User, expand Personal, and then select Certificates.

  16. In the middle pane, right-click your EFS certificate, and then click Delete.

  17. In the Certificates dialog box, click Yes to confirm that you want to delete the certificate.

  18. Log off the current desktop session and then log back on. Windows 7 caches the user's EFS certificate. Thus, if you remained logged on, you would still be able to open your encrypted file.

  19. Open the Documents folder and double-click the Encrypted.txt file. Notepad should appear and display an "Access is denied" error message. This indicates that the file is encrypted but you don't have a valid EFS certificate.

EXERCISE 3 Recover Encrypted Data

In this exercise, you recover a lost EFS key and use it to access encrypted data. To complete this exercise, you must have completed Exercises 1 and 2.

  1. In the Documents folder, double-click the EFS-cert-backup.pfx file that you created in Exercise 2.

    The Certificate Import Wizard appears.

  2. On the Welcome To The Certificate Import Wizard page, click Next.

  3. On the File To Import page, click Next.

  4. On the Password page, type the password you assigned to the certificate. Then click Next.

  5. On the Certificate Store page, click Next.

  6. On the Completing The Certificate Import Wizard page, click Finish.

  7. Click OK to confirm that the import was successful.

  8. Open the Documents folder and double-click the Encrypted.txt file. Notepad should appear and display the contents of the file, indicating that you successfully recovered the EFS key and can now access encrypted files.

- Windows 7 : BitLocker (part 3) - How to Manage BitLocker Keys on a Local Computer, How to Recover Data Protected by BitLocker
- Windows 7 : BitLocker (part 2) - How to Enable BitLocker Encryption
- Windows 7 : BitLocker (part 1) - How to Use BitLocker with TPM Hardware
- Windows 7 : Encrypting File System (part 3) - How to Recover to an EFS-encrypted File Using a Data Recovery Agent
- Windows 7 : Encrypting File System (part 2) - How to Grant an Additional User Access to an EFS-encrypted File , How to Import Personal Certificates
- Windows 7 : Encrypting File System (part 1) - How to Encrypt a Folder with EFS, How to Create and Back Up EFS Certificates
- Windows 7 : How to Troubleshoot Authentication Issues (part 3) - How to Troubleshoot an Untrusted Certification Authority
- Windows 7 : How to Troubleshoot Authentication Issues (part 2) - How to Use Auditing to Troubleshoot Authentication Problems
- Windows 7 : How to Troubleshoot Authentication Issues (part 1) - Identifying Logon Restrictions
- Windows 7 : Authenticating Users - How to Use Credential Manager
Top 10
Technology FAQ
- Microsoft ebs security server configuration
- IIs7 on Windows server 2003
- How to Configure Failover Clusters With Win 2008 Server R2?
- Windows 2008 Network Load Balancing
- Windows Server 2008 - Group Policy Management - Remove Computer Management
- Remove shortcuts possibility in a web page or to put in favorite
- HTA Dynamic Drop Down List
- IIS host header and DNS
- VMware or MS Virtual Server?
- Adobe Acrobat 9 inserting tab pages
programming4us programming4us