none
Bitlocker Save/export recovery keys RRS feed

  • Question

  • Specific question: What steps are needed to export/backup Bitlocker encrypted drive recovery keys data to a USB drive.

    Background:

    I've used the Bitlocker for some time now. I find that the USB drive where the Bitlocker recovery keys USB drive has failed (started to not be "recognizable" to my PC). This jeopardizes my ability to perform a recovery should the need arise.

    Additional Information:

    Two weeks ago, I installed the TPM module on my upgraded mobo. It was not activated and initialized until today (7/17). This is when I discovered that the USB drive is failing.

    System Specific:

    System is a private system, not attached to an Active Domain, running Windows 7 Ultimate x64. The need for this level of security arises from the higher than normal potential of having my system stolen or otherwise compromised.

    I have examined the associated threads which appeared when I entered my request as well as Bing searches. To no avail. All solutions appear to require an AD or other network supported solution.

    Any help in this matter is greatly appreciated.


    Jim - Mastiffs are the greatest!

    Wednesday, July 17, 2013 7:58 PM

Answers

  • Thank you for the information. What I have come to realize is this: The standard instructions on the backup of BitLocker Recovery Key do not apply when a TPM is installed (as indicated in my original post).

    This appears to be by design, as the TPM contains a number of components that store key information for BitLocker encrypted drives, the hardware and the OS.

    This effectively allows the use of a USB drive during boot to be bypassed, though the option remains available.

    What does happen, is a TPM and BitLocker password are recreated at initialization time, and only at that time is a backup or off-line recovery method saved for future need.

    This changes the entire scope/picture of my past use of BitLocker prior to the installation of a TPM. I am now focusing on the use of a startup boot password to unlock the OS when the system is booted. This approach shall require additional research before it is implemented.

    I shall also change the method for the drive which was encrypted prior to the TPM acquisition (Apr, 2012). This shall be done by performing the following steps:

    1. Decrypt my data drive.
    2. Clear my TPM.
    3. Re-initialize my TPM.
    4. Encrypt my data drive with TPM active.

    Following those steps, I shall finalize my research into the encryption of my OS drive, using a password to unlock at boot-up; and performing the needed steps to ensure a future recovery should it be needed.

    Eventually, all drives (except those defined for use as a DLNA accessible media location) shall be encrypted; and brought on-line only when needed. This will allow my system to act in two entirely different roles: A) Personal system for business and household information protection (against malicious access when not online and against theft); B) as a DLNA server for my devices connected to my network.

    I do appreciate the information, however, because of the TPM, the option to use Manage BitLocker directly or through a wizard does not exist unless I'm getting ready to decrypt or encrypt a drive. My need was to step into the middle and recreate the existing recovery key backups. Backups that would permit booting from a USB, unlocking the drive; and proceeding towards additional recovery steps.

    I have contacts at my business that are knowledgeable in the deployment of BitLocker to AD attached devices, at an Enterprise level. They are experts in the use of TPM and BitLocker on devices - though they are very reluctant to "share" the information due to the security aspect of having that knowledge. I'll just have to do the best I can. I had hoped that through TechNet there was sufficient knowledge to provide more detail surrounding the BitLocker product and its incorporation on a system with TPM installed.

    I do appreciate all the feedback and help, though on my system the paths described do not appear to be options.

    Thank you.

    - Jim


    Jim - Mastiffs are the greatest!

    Saturday, July 20, 2013 2:28 PM

All replies

  • Hi Jim,

    From your post, I understand that the USB drive with Bitlocker recovery key cannot be recognized on your computer.

    First, would  you please check if the USB drive can be open on another computer? If so, we can copy the recovery key out from it.

    Another way is that if your computer can work properly, you can follow these steps to copy your Bitlocker key out:

    1. Open Bitlocker Drive Encryption by clicking  Start button, clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption.‌
    2.  Click Manage BitLocker, and then follow the instructions.

    Follow this wizard, you can save your Recovery key as a txt file into another location except the system root directory.

    For detailed information, you can refer to following links:

    http://www.eightforums.com/tutorials/21433-bitlocker-recovery-unlock-drive-windows-8-a.html

    http://windows.microsoft.com/en-IN/windows7/What-is-a-BitLocker-recovery-key

    Hope these can be helpful and keep post.


    Best Regards, StarSprite

    Friday, July 19, 2013 7:39 AM
  • Thank you for the information. What I have come to realize is this: The standard instructions on the backup of BitLocker Recovery Key do not apply when a TPM is installed (as indicated in my original post).

    This appears to be by design, as the TPM contains a number of components that store key information for BitLocker encrypted drives, the hardware and the OS.

    This effectively allows the use of a USB drive during boot to be bypassed, though the option remains available.

    What does happen, is a TPM and BitLocker password are recreated at initialization time, and only at that time is a backup or off-line recovery method saved for future need.

    This changes the entire scope/picture of my past use of BitLocker prior to the installation of a TPM. I am now focusing on the use of a startup boot password to unlock the OS when the system is booted. This approach shall require additional research before it is implemented.

    I shall also change the method for the drive which was encrypted prior to the TPM acquisition (Apr, 2012). This shall be done by performing the following steps:

    1. Decrypt my data drive.
    2. Clear my TPM.
    3. Re-initialize my TPM.
    4. Encrypt my data drive with TPM active.

    Following those steps, I shall finalize my research into the encryption of my OS drive, using a password to unlock at boot-up; and performing the needed steps to ensure a future recovery should it be needed.

    Eventually, all drives (except those defined for use as a DLNA accessible media location) shall be encrypted; and brought on-line only when needed. This will allow my system to act in two entirely different roles: A) Personal system for business and household information protection (against malicious access when not online and against theft); B) as a DLNA server for my devices connected to my network.

    I do appreciate the information, however, because of the TPM, the option to use Manage BitLocker directly or through a wizard does not exist unless I'm getting ready to decrypt or encrypt a drive. My need was to step into the middle and recreate the existing recovery key backups. Backups that would permit booting from a USB, unlocking the drive; and proceeding towards additional recovery steps.

    I have contacts at my business that are knowledgeable in the deployment of BitLocker to AD attached devices, at an Enterprise level. They are experts in the use of TPM and BitLocker on devices - though they are very reluctant to "share" the information due to the security aspect of having that knowledge. I'll just have to do the best I can. I had hoped that through TechNet there was sufficient knowledge to provide more detail surrounding the BitLocker product and its incorporation on a system with TPM installed.

    I do appreciate all the feedback and help, though on my system the paths described do not appear to be options.

    Thank you.

    - Jim


    Jim - Mastiffs are the greatest!

    Saturday, July 20, 2013 2:28 PM