none
Bitlocker Recovery Key and .Bek File RRS feed

  • Question

  • Do you need both? My last job never used Bitlocker and my new job requires it. I had been backing up the Bitlocker Recovery Key text file but then noticed the .Bek file on a computer that had hidden objects enabled.

    I deployed a few laptops and if I need it, I will have to track them down.....I'm hoping not. Not trying to be lazy, I worked 12 hours yesterday and my mind hurts. Haha.

    Wednesday, March 29, 2017 10:01 PM

All replies

  • No, you don't need both.

    The recovery key alone can be used to access the data under any circumstance. The .bek file is a key you would usually save on a USB drive to start your computer without having to enter a bitlocker PIN/password.

    Another thing to take note of, just in case, for companies that need to be FIPS-compliant: recovery keys may not be used, they are not FIPS compliant, while .bek files are FIPS compliant.

    Thursday, March 30, 2017 9:15 AM
  • Hi Steven,

    Have you deployed any GPO or have you configured startup key?

    According to my research, .bek file is a startup key saved in a USB drive. It is set as a hidden file by default and it could be used to access a Bitlocker drive. But if the machine is in recovery mode, we should use the recovery key to re-gain access to the Bitlocker drive and the recovery key is the only way to regain access to the Bitlocker drive once it is in recovery mode.

    Best regards,
    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 30, 2017 9:43 AM
    Moderator
  • "But if the machine is in recovery mode,... the recovery key is the only way to regain access to the Bitlocker drive once it is in recovery mode."

    That is incorrect. .bek files also work to unlock it in recovery mode. That's why giving out .bek files to users is so dangerous: they can do anything with those including offline manipulation and decrypting.

    Thursday, March 30, 2017 10:47 AM
  • Hi Ronald Schilf,

    Thank you for pointing out my misunderstood about .bek file.
    This forum needs professional volunteers like you to make it better to help others.

    Best regards,
    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 5, 2017 9:46 AM
    Moderator
  • It is worth noting that Microsoft does not really stress the importance (and dangers) of the .bek files. Also, I guess I have read more than once that in recovery mode, only the recovery key can help - though it's not rue - even on official sites.
    Wednesday, April 5, 2017 11:38 AM
  • No, you don't need both.

    The recovery key alone can be used to access the data under any circumstance. The .bek file is a key you would usually save on a USB drive to start your computer without having to enter a bitlocker PIN/password.

    Another thing to take note of, just in case, for companies that need to be FIPS-compliant: recovery keys may not be used, they are not FIPS compliant, while .bek files are FIPS compliant.

    Hi Ronald,

    I'm glad to hear that "No, you don't need both". However, after changing the Boot Configuration Data (start in safe mode after a crash) on a Win 7 Ultimate machine with TPM 1.2, I am asked to "Insert key storage media" (with .bek file) every time. Entering the correct BitLocker password manually in eiher the CLI or on via the safe mode Windows UI later is not sufficient for recovery - at the end, the machine always takes me back to the screen that requests the .bek media after restart. As I have the Bitlocker Recover Key file, but not the .bek file, I am stuck... did I misunderstand your comment "No, you don't need both"? Your reply would be very much appreciated.

    Carl

    Tuesday, April 18, 2017 5:24 PM
  • Before doing changes to boot config or bios config, you need to suspend bitlocker, or it will enter recovery mode. To leave recovery mode now, suspend and then resume bitlocker protection - find those options after right clicking c: and choosing "manage bitlocker". See if that works. If it does not, then the behavior is buggy and I would decrypt and re-encrypt.
    Wednesday, April 19, 2017 7:19 AM
  • Ronald,

    So even in their example, it is not necessary to have the .Bek key? 

    Sorry for not responding, I was being stupid and realized that I used my old work account in which I no longer have access so I wasn't getting notifications.

    When is it necessary to have the bek file? When we are enabling Bitlocker, we are saving the key to a thumb drive(giving to users) and then making a copy and storing it on a secured network folder as well. I know there are better ways but for now, that's how we are doing it. 

    Do I need to remove the bek file from the usb drive and store it for our purposes only?



    Tuesday, April 25, 2017 9:43 PM
  • Steven, him who has the .bek file has full control over the hard drive. He can mount it, manipulate it and circumvent OS based security settings. Users should not have the .bek file, no.

    Carl: you are seeing a situation where bitlocker went to recovery mode but does not get out of it. Enter the recovery key, boot, suspend bitlocker and re-enable it. That will normally end the recovery loop.

    Thursday, April 27, 2017 8:15 PM
  • Ronald, thank you for your answers, which I only just saw (I did not get any notifications, although the email address associated with my account is correct... strange). I have been working with the backup machine all this time, but my Bitlocker problem on the main machine is still there, so I would very much appreciate any assistance that leads to overcoming the problem. From now on, I'll check this post daily, now that I know that the notifications are not working for me.

    I cannot suspend Bitlocker protection, because I cannot log in to Windows. After restart, I am prompted for the .bek file, but as it is corrupted, I skip past that to the point where I am prompted for the recovery key code (no GUI at that point). It is accepted and the Windows files are loaded up to the point where the Windows login screen is displayed in safe mode. However, I cannot log in - the Windows login screen is displayed only for a few seconds and then the computer reboots, even if I use a username that does not require a password. If, instead of entering the recovery key, I ESCape past it, I get a chance to enter it via a GUI. After it is accepted, the system automatically launches Startup Repair, which finds a Root Cause: "The computer hard disk is encrypted using BitLocker Drive Encryption and could not be unlocked.". Even at that point, all options lead to reboot in the end... Anyone who can solve this issue will definitely get rewarded!



    • Edited by Carl- Sunday, June 25, 2017 6:12 PM corrected description of system behaviour when trying to log in to Win
    Sunday, June 25, 2017 11:13 AM
  • I have searched further for ways to suspend Bitlocker, but could not find any, not even outside Windows, as after successfully entering the 48-digit recovery key I cannot even get to the command line to run the Suspend-BitLocker cmdlet (see https://technet.microsoft.com/en-us/itpro/powershell/windows/bitlocker/suspend-bitlocker). So, for now it seems that there are circumstances when both the .bek file and the recovery key are needed to restore a Windows 7 system after it entered recovery mode... I would be very happy to be proved wrong, though...
    Wednesday, June 28, 2017 9:48 PM
  • @Ronald Schilf: "The recovery key alone can be used to access the data under any circumstance" - Please see my comments of June 25 and 28 below for circumstances where the recovery key alone is not enough.
    • Edited by Carl- Sunday, July 2, 2017 10:50 AM
    Sunday, July 2, 2017 10:49 AM
  • Hi Carl.

    I was on vacation and returned today, so the notifications reach my work mail and I saw it just now.

    You have a system that reboots at the login prompt, before you can enter the password. That has nothing to do with bitlocker and has nothing to do with startup repair. At this point, since you cannot enter windows, you are left with some rather difficult options:

    -read the event log offline to see why it reboots at the logon screen (I assume, it does not reboot, but rather crash uncontrolled (followed by an automated reboot). If the event log indicates what is wrong (some system service might malfunction and crash the system), you would be able to disable that service. However, since you say you are already in safe mode (sure?), only bare minimum of services is starting now, so your chances are small that you can do without one of those. I hope this argumentation is understandable.

    -2nd option: mount the drive offline, recover your data and reinstall windows (or return to your latest image backup)

    --

    "So, for now it seems that there are circumstances when both the .bek file and the recovery key are needed to restore a Windows 7 system after it entered recovery mode..." - that conclusion is wrong. In your situation, the recovery key lets you access your drive. It's only windows that is corrupted and (probably) crashes, denying the logon. And that is something that startup repair cannot handle.


    • Edited by Ronald Schilf Monday, July 10, 2017 12:40 PM
    • Proposed as answer by Carl- Monday, July 31, 2017 7:27 PM
    Monday, July 10, 2017 12:39 PM
  • Hi Ronald,

    Thanks for your reply. I have also been away and saw your reply yesterday evening. Yes, I follow your argumentation for the 1st option and I imagine that what you mean by "read the event log offline" is that I should connect the drive to another computer to read the event log. If that is correct, I would need to get a USB adapter for both options (the locked machine is a notebook with a M.2 SSD).

    I am almost certain that Win 7 is running in safe mode until it reboots, as:

    a) the whole problem started because I chose to restart Windows in safe mode and on rebooting I do get the warning that the Boot Configuration Data have changed - as expected when attempting to reboot in save mode when Bitlocker encryption has not been suspended

    b) drivers etc. are displayed in the CLI one by one as they are loaded - as it happens when starting Windows in safe mode

    As a consequence, I doubt that what I am witnessing within a few seconds of the Windows login screen appearing represents a crash. Could it be that while the login screen loads, the system is looking for the startup key (.bek file) and then, as it does not find it, reboots? I have to admit that I have not yet understood the role of the .bek file, i.e. what is triggered by having a valid .bek file.

    So, when I have obtained an adapter to mount the M.2 SSD next week, I'll check the event log and then take it from there. Being able to access the drive, even if only when mounted to another PC would already be a huge step forward, so if I reach that point I'll mark your last answer as such.

    Saturday, July 15, 2017 9:17 PM
  • About the .bek file: It is normally used as startup key by people who don't like to type in passwords. They keep the key on a usb stick, insert it and windows boots without requiring a bitlocker PIN/password. Having no bek file connected can impossibly crash the machine, no.

    At the phase where it crashes for you, system services are being started, so highly probable it's some service that is malfunctioning.

    Monday, July 17, 2017 6:21 AM
  • Thanks, Ronald. I had understood how (e.g. on USB stick) and when (at startup) the .bek file is used, but what I don't understand is what exactly it is supposed to unlock, because if the purpose is simply to give access to the drive, which is what the other Bitlocker recovery file (a .txt file) does, the .bek file would not be needed, because the .txt file can also be read by the system without having to manually enter the recovery code. In fact, if I do not want to enter the recovery code from the .txt file manually, my system loads the (Windows) GUI to prompt me to "Load the key from removal media" or "Manually input the key". This is what leads me to think that the recovery keys in the .bek and the .txt have two different roles. Maybe the .bek file is related to the TPM? Anyhow, I am still waiting for the delivery of an appropriate adapter...
    Tuesday, July 18, 2017 8:54 PM
  • Earlier, the recovery key text file was not used to unlock the drives, earlier. In former windows versions, you could not use the preboot bitlocker GUI to load it. Only after microsoft realized people find those two rather confusing, they enabled us to use the .txt file, too.

    You will notice, that with only the .txt file on usb, the machine will not start before you select to load the file, while with a .bek file, it will start automatically.

    Wednesday, July 19, 2017 6:09 AM
  • Hi Ronald,

    Sorry for the delay - the locked M.2 SSD only communnicates via the CPI Express interface and I had trouble getting an adapter for it (I was offered M.2-USB adapters purported to have a CPIe interface, but they only worked with SATA and after further searching I found a great water-cooled M.2 SSD-PCIe adapter at aqua-computer.de). After mounting the SSD on the PCIe-card in an older desktop PC, it was a piece of cake and I managed to retrieve all the needed data. I didn't check the event logs, but as I have reinstalled Win, that is history now.

    Thank you very much again for your very useful advice!

    Cheers,

    Carl

    Monday, July 31, 2017 7:37 PM
  • You are welcome.
    Tuesday, August 1, 2017 6:31 AM