none
Problem Unlocking BitLocker Encrypted Data Drive from USB Recovery Key RRS feed

  • Question

  • I have started experimenting with Bitlocker on my Win 10 Pro system. For testing purposes, I created a small partition on my C drive with its own drive letter, put some garbage data in it, and successfully encrypted it. The problem comes when I try to unlock the drive after a restart. I would prefer to unlock by using a USB drive so that I don't have to enter a long password manually. I have set all the permissions with gpedit.msc (I do not have a TPM), and I save my key to the USB drive when I encrypt the drive. Unfortunately, when I direct bitlocker to go to the USB drive when unlocking, I get an error message that says: "A valid USB key wasn't detected", so the only way to unlock is with the password. The USB drive contains 3 files: System Volume Information, a long named .bek file, and a Bitlocker recovery key .txt file.

    Recently, I did a clean re-install of Win 10 Pro and attempted the same task again, without making any changes to anything with gpedit. I encountered the same failure.

    I am not attempting to encrypt my C drive yet, just testing encryption of data drives. FWIW, my system is able to boot from a USB drive. Can anyone tell me how I can unlock a data drive using just the info on the USB drive?

    Tia

    Prestonpig


    Wednesday, November 4, 2015 12:02 AM

Answers

  • Is the USB key the same key for both your computer and your friends/other computer? It seems quite strange that the procedure would work on one system but not another if there are no difference between the two.

    You mentioned BitLocker to Go, which is irrelevant to this scenario. BitLocker to Go is used to encrypt the removable drive, but in your scenario the disk is a direct attached physical disk and uses BDE (BitLocker Drive Encryption) to encrypt. Is it possible you also encrypted this USB stick? If so, it might explain why you are unable to read the recovery key to unlock the disk.

    Brandon
    Windows Outreach Team- IT Pro
    Windows for IT Pros at TechNet

    Thursday, December 3, 2015 8:46 PM
    Moderator

All replies

  • Hi,

    First, I would like know if you choose Save to USB when encrypt your data drive, please know that it's recovery key, not the startup key for decrypt when plug in your USB.

    Let's see that a startup key can be used to store the encryption keys for your operating system drive if your PC doesn't have the Trusted Platform Module (TPM) security hardware. You can only use a startup key instead of the TPM if your system administrator has set up your network to allow the use of startup keys.

    For details, please refer to this link:

    What is a BitLocker Drive Encryption startup key or PIN?

    http://windows.microsoft.com/en-us/windows-vista/what-is-a-bitlocker-drive-encryption-startup-key-or-pin

    Startup key in USB is used to set Bitlocker without TPM on system partition, not for data partition:

    Bitlocker without TPM:
    http://blogs.technet.com/b/hugofe/archive/2010/10/29/bitlocker-without-tpm.aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, November 4, 2015 6:33 AM
    Owner
  • Yes, I am saving the recovery key to a USB drive. From the first link you posted, I quote this: "When BitLocker saves the Recovery password to a USB flash drive, it also saves a machine-readable version so you can just plug in the drive rather than typing a long password." This is what I am attempting to use to unlock the data drive. The exact same procedure (create a drive, encrypt saving key to USB drive, unlock the drive using the USB key) works fine on another Win 10 Pro machine in our house and on a friend's Win 10 Pro machine, but my machine can not find this key (A valid USB key wasn't detected), although, if I turn on protected file view, I can see both the .txt file and the .bek file. I am not trying to create a startup key, since the C drive is not being encrypted. What I can't figure out is why it won't unlock the data drive on my machine and what do I have to do to get to unlock like it does on the other machines.

    Prestonpig

    Wednesday, November 4, 2015 1:46 PM
  • ther is data recovery software for bitlocker ther are a few ways to obtain this
    Thursday, November 5, 2015 8:48 AM
  • Is the USB key the same key for both your computer and your friends/other computer? It seems quite strange that the procedure would work on one system but not another if there are no difference between the two.

    You mentioned BitLocker to Go, which is irrelevant to this scenario. BitLocker to Go is used to encrypt the removable drive, but in your scenario the disk is a direct attached physical disk and uses BDE (BitLocker Drive Encryption) to encrypt. Is it possible you also encrypted this USB stick? If so, it might explain why you are unable to read the recovery key to unlock the disk.

    Brandon
    Windows Outreach Team- IT Pro
    Windows for IT Pros at TechNet

    Thursday, December 3, 2015 8:46 PM
    Moderator