BitLocker doesn't save startup key to USB drive
- After encrypting a drive with BitLocker, I tried to save the startup key to a couple of different USB drives. The key simply will not save. I can save the recovery password to any of those drives, but saving the key produces nothing. Why might this be happening?
Réponses
- YES , Is USB boot support required for BitLocker to work correctly with a USB key? YES
- Thank you! This clarifies what I needed to know. In that case I won't try fighting the odds any further.
Toutes les réponses
- Check the bios of your computer , It sound like it may need a upgrade
- Why would that prevent the key from being saved if everything else can be written? This is not a TPM system, BTW -- I specifically edited Group Policy to allow a USB key to be used as the key module.
There are no other problems with this system's USB as far as I know -- I can read and write from drives with it just fine. It's just that it refuses to write the key certificate to the drive. let me look into that further for you.
- Thanks, it's appreciated.
Just so you know, I did try this with a variety of drives, formatted as FAT, FAT32 and NTFS. None of them worked, which leads me to think there's something else wrong. I have exactly the same problem.
There is no confirmation after pressing 'duplicate startup key on usb drive'.
The key is invisible on the USB drive.
Even though the startup key was copied to the USB key when Bitlocker was turned on the first time, Bitlocker will not recognize the key if it is in the drive when the computer boots.
Recovery works ok (thank god)
Asus z63A Sept/05 with 2006 BIOS
Thanks
Peter
- I suspect there's some problem that both of us are experiencing that's causing this.
One thing I can think of that might be out of the ordinary is that I used the newly-available BitLocker Drive Preparation tool to ready the system for use. So did I, but I don't think that would be the problem.
When enabling Bitlocker, after saving the Startup Key to the USB drive it asks for the 'Recovery USB' drive to be inserted.
I happened to have the recovery key on *another* USB drive and inserted that.
I think that Bitlocker then 'authenticates' all the components of the encryption system including that particular USB drive. So that could be my problem.
Since there was no 'requirement' for a recovery USB (could save to folder or print) I'm thinking that this is an error in terminology and that they mean the Startup USB Key.
Anyway I'm going to try to start Bitlocker (3rd time) tonight and I'll use the Startup USB Key when asked for the Recovery USB Key; and I'll let you know how it goes.
Well, I tried 3 x again last night but each time failed on reboot saying Bitlocker could not recognize my USB key. I followed the instructions exactly. I notice the instructions don't tell you when to take out a USB key, if that matters.
I had Bitlocker partially working previously with a different (old) USB key. Although it may have been booting by the Recovery key. It is confusing.
This key is new U3 2G FAT. Of course the new key seems to work fine in all other respects.
Most likely there is something amiss in my BIOS which is mucking up the works.
Unlikely that Asus will produce a new BIOS for an 18 month old machine, so I guess there was no reason for me to buy Ultimate after all.
Guess I'll start saving for a TPM machine in the future.
- can you boot your computer from a usb stick as a bios option ?
A 'removable drive' is offered in the pick list for boot order.
However, Bitlocker instructions state that the BIOS be set to boot first from the HD.
Maybe I'll try it with 'Removable drive' set as first pick.
- If you can boot from a usb drive that the 1st test for will usb work with bitlocker
- This machine is vintage 2006, so I'm fairly sure it supports booting from USB (although I haven't tried explicitly).
What I am confused about is this: Why would that prevent BitLocker from being able to save the encryption key to a USB drive when Windows is running? And on top of that, why does it fail silently with no error to indicate why it's not working? I guess that's my biggest source of confusion: I want to know why it's not working and what I can to do fix it if possible. I agree with Serdar, the lack of feedback as to whether the USB Key is saved is very confusing. Especially considering the critical nature of the KEY. For example, the consequences of someone thinking they had saved or copied a key, only to find out that this wasn't the case could be catastrophic.
With regard to my problems:
I changed the order of booting in the BIOS to favor 'removable device' (and then tried all other combinations of DVD/HD etc).
This enabled all the Bitlocker tests to be passed. However, it will not boot from the USB Startup Key.
This is another area of confusion. How is it the machine is not flagged by Bitlocker when it won't boot from the USB Startup key?
It will recover from another USB key with the recovery password.
I think the BIOS for this machine is not sufficient. Another possibility is that the USB Key I just bought doesn't work properly, although it seems to work fine in all other respects.
I have the same problem, after I run Bitlocker for the first time and initialise the USB Key and save the password, after the restart I received the warning message that the Key cannot be found.
I have a Sony VAIO S4 Notebook with a fresh install of Vista Ultimate, and the USB Key works with all normal use, however I do not have the option to book from USB key via my BIOS.
- Then you need a BIOS upgrade contact Sony, My VGN-SZ notebook can boot of usb
- Thanks, I will get on to them to see if they have a newer bios than the one on their site, will let you know the results!
- My notebook is a Sony VAIO VGN-TX770P. Sony's support site has no updated BIOS for it, and there is no provision for booting from a USB drive in BIOS.
Let me ask this as unambiguously as I can: Is USB boot support required for BitLocker to work correctly with a USB key? - YES , Is USB boot support required for BitLocker to work correctly with a USB key? YES
- Thank you! This clarifies what I needed to know. In that case I won't try fighting the odds any further.
Bitlocker just seems to have problems.
On a fresh load of windows ultimate, I was sucessful in getting the key saved to USB drive and the whole thing worked well.
I reinstalled windows, and did exactly the same thing, only this time bitlocker did NOT save my key to the USB drive, so now I have the same problem as the rest of you guys.
So I can tell you, it has nothing to do with the BIOS. There just seems to be a flaw with the software, as nothing i did on the second time around was different to the first.
I hope microsoft fixes this.
Shane
- Same story for me. If anyone has an answer to this, please post it. I was hoping to make a SPARE key on another USB flash drive in case the original USB flash drive (which works great) gets lost or damaged, but, I guess that's not possible right now.
I even tried just copying the file over to the other USB flash drive from the original USB flash drive, but bitlocker still didn't recognize the new usb drive. - At first I thought my installation also didn't save the file, but it's a system/hidden file.
I have got Bitlocker working on my nonTPM computer and saved the startup key to a USB flash drive. My problem is that I have not been able to make a duplicate startup key. When I attempt to do so, Bitlocker seems to save the startup key to the USB dirve. I can see a file name on the USB drive for the startup key when I set folder view to reveal hidden OS files. However the startup key itself does not appear to be saved to the USB drive, only the file name. The proof of this is that the startup key does not work. The problem is not with the BIOS because the original startup key works. It is only the duplicate that does not work. I attempted to make duplicates using five different USB drives from four different manufactures. None of the duplicates worked. I spent many hours on the telephone speaking to Microsoft Technical Support. They were no help at all. Since the duplicate startup key is a Bitlocker feature, Microsoft should make it work or remove it from Vista. It is really too bad that they treat their customers so poorly.
- That is because you don't have "show hidden files and folders" selected and "hide protected operating system files" deselected in the "folder options" control panel. After doing that you will see a <GUID>.BEK file in the root of your USB drive. (GUID stands for Globally Unique IDentifier, which is a fancy word for random seeming string of characters). I does not just "fail silently". Also, double check that your motherboard has the ability to boot from usb (or atleast see the USB drive). My machine is a 2007 build, and it doesn't have that option. Oh well, I need a new machine anyways...
Thank you for the information. Unfortunately, you have assumed that I have not selected "show hidden files and folders". In fact, I have. You also missed the point that the original USB startup key works. It is only the duplicate that does not work. This proves that the problem is not with my motherboard or with the BIOS. I am able to create the first startup key which then works fine. I have been trying to create a duplicate startup key in case the first one gets lost or damaged. And yes I have saved the bitlocker password and know that I could also use it in case I don't have the startup key on a USB drive.
When I try to make a duplicate startup key, it does not work. When I explore the USB drive, the file is there but it does not work. Microsoft technical support has not been able to provide me with a solution. I have tried a variety of USB drives but none work as duplicates. I think the problem is with the Bitlocker manage keys program for creating a duplicate. I even tried to clone the USB key that works but that effort also failed.
Eric-3 wrote: When I try to make a duplicate startup key, it does not work. When I explore the USB drive, the file is there but it does not work. Microsoft technical support has not been able to provide me with a solution. I have tried a variety of USB drives but none work as duplicates. I think the problem is with the Bitlocker manage keys program for creating a duplicate. I even tried to clone the USB key that works but that effort also failed.
I have escalated this internally. Can you tell me, in the mean time, if the duplicate keys you've made work as recovery keys? In other words, if you start the machine with no USB, get the recovery screen, and then insert the key.
- No they do not.
Some of the people here are wrong....
Bitlocker DOES save a duplicate key to the USB drive, but it doesn't save the accompanying txt file that was originally saved. Unfortunately, the duplicate BEK key does not work.
I've got my original key on a SSLLOOWW PNY mini Attache 512mb drive formatted with NTFS. Works fine, but that drive is not going to last a long time in my pocket or on my keychain as it's made out of really cheap plastic.
As such, I bought a SanDisk Titanium Cruzer 2gb with U3. I have tried saving a new duplicate key. I've tried copying and pasting both the original BEK and TXT files. The files are on the drive. I removed the U3 partition and reformatted. I've tried every file system (FAT, FAT32, NTSF, exFAT) and nothing works.
Upon booting with the Cruzer, the system is hanging for a VERY long time before prompting for inserting a USB drive containing the key. I take out the Cruzer, put in the old PNY, reboot, and it boots right away everytime.
I've got Vista SP1 x64 (legit) installed with all updates, with Norton Internet Security (no warnings).
Hope this helps.... Please fix this.Here's something else...
Today I reinstalled Vista x64 and tried to save an original key to my Cruzer. It saved it, but at reboot I got the following error:
The system firmware failed to enable clearing of system memory on reboot.
No encryption applied, any changes made to C: during Bitlocker setup will be removed.
And, leaving the USB drive in during booting, the drive was not initially recognized by the laptop. When I removed and reinserted, the drive appeared and functioned normally.
Don't have time to try it with the old PNY drive tonight, maybe tomorrow.
Bitlocker is working again with my old PNY drive.
Is this maybe due to a size issue on the USB drive during boot? Why will the 512 work and not the 2gb?
Have an HP dv9700t laptop running a Core2Duo T9300 with 4gb RAM on Intel PM965 chipset.
I feel like I'm talking to myself.
OK....I contacted HP customer support regarding whether it was a possible compatibility issue due to the brand/model or even the size of the 2gb vs. 512mb.....and, as I kinda expected, they were absolutely worthless, and couldn't understand I was talking about a pre-OS environment. They just wanted me to install updates for Vista. HP's BIOS is extremely limited, so really nothing to tinker with there.
I dug out a VERY old, like 10 years old, 256mb drive that cost around $50 when it was new. Maybe more. In any case, was able to save the key and the text file no problem......and to my surprise, it booted right away. It's a SanDisk.
So, at least for me, the problem wasn't Bitlocker, it's some sort of compatibility issue between HP's motherboard/BIOS and that particular USB drive, or perhaps the size of drive.
If more people would post about specifics (make/model of computer, make/model of USB flash drive, size of drive, mobo chipset (mine's a PM965)), perhaps this all might make a little more sense.
I'm going to return the Titanium Cruzer and try something else. Hopefully I can find a 512mb Titanium Cruzer to replace it and see if that works.
I was having this same issue. I tried with a Sandisk Cruzer, I tried it with a lexar, and a corsair 4gb flash voyager. All failed.
I then tried it with a memorex 2gb USB drive, and it worked without a problem.
For the record, I'm using it on a toshiba satellite A135-4517 without a TPM module.
Hope it helps.
jeff
- Sorry for taking so long, it looks like you already found a USB drive that works. I have tried keys on 7 different USB drives and none worked except for my 2gb USB Memorex as well. However, I also found that all those USB drives that do not work on my desktop work on my Notebook (dell M1530 received literally 4 days ago...no TPM). It appears to be a BIOS or driver issue, haven't figured out which one yet.
- Okay, it has something to do with U3 (the program which turns a USB drive into a smartdrive), since my dell has a more updated BIOS, I'm thinking the BIOS in my desktop is preventing the file from being loaded upon startup.
- Hi, I was experiencing the same problem & after researching further i discovered...... The key does save to the usb pen as a hidden file. It will work as the original does but you have to make sure that *Boot from External usb* is enabled in the bios. My smartkey would not unlock the system hdd at bootup,, as soon as I enabled this setting it worked perfectly. Hope this help you.
I forgot to add that that the internal hdd must be set to boot 1st in priority other wise it will not work.
- OK Guys, i think one of the main problems you're having is the U3 drive.
U3 usb drives (and others), when in serted into a machine first show up a non-writeable section of the drive which then loads up the data section of the drive. In windows this is where the U3 autorun installation files are held, this shows up first, then after inntalling and running the U3 application the rest of the drive shows up as a seperate drive.
These drives won't work in other machines / platforms as a normal usb drives, i.e if you inserted this into say a dvd/media player which supports files on USB, the player will only see the first USB partition (the one with the U3 installtion files) not the data section.
Bitlocker requires the ability to read the key files in a pre-boot environment from the BIOS. Aagain here the BIOS will only see the first U3 section of the drive.
Try using a normal / vanilla USB drive, one that only shows up a a normal USB mass storage drive. No other fancy stuff. :)
- as I've said above, U3 is not a normal usb dirve, on insertin the first thing it represent's is a applicaiton section, usually in the form of a usb connected cd drive, so that the u3 installation files can run first then the data section is loaded.
in a pre-boot environment the bios will only see this first USB / cd drive / section conataining the u3 installaion files not the data section. uninstall u3 (lookup u3 remover) try it ;)
