none
Bitlocker drive can't be unlocked with keys/pwd/bek RRS feed

  • Question

  • I have Windows 10 Enterprise installed. I have several disks but for the sake of clarity let's call them "2 disks":

    • Encrypted (AES only) SSD for the OS+progs
    • Encrypted (AES-XTS) HDD for data (in fact they are 4 disks configured in Windows Storage Spaces but they're fine, at least for now)

    The OS was encrypted in order to automatically unlock my encrypted data drive and I had to put a password in order to boot because my old motherboard doesn't have TPM.

    System worked great for a loooong time. I was happy! I even can't remember if I encrypted the drive back in Win 7 days.

    BUT last Win 10 update crashed my happiness. System updated ok and booted ok. On the first reboot, system booted and asked me the password as always, but instead of accept my password and continue to boot, I was asked again, and again (2 times), and then it appeared the recovery procedure.

    I've tried several times, without success. I know the password is ok (also if I entered a wrong  password, the system won't accept it instead of asking me again).

    Then I booted the machine with an alternative Win7 installation that I have on another disk for emergency operations. I succesfully turned off Bitlocker on the SSD and the system booted again. But data drive didn't unlock automatically so I tried again to encrypt the drive (again AES only). I've updated my pendrive with the recovery key and stored it on my MS account, just in case. Then I rebooted the machine to continue the encryption procedure (check/encrypt) and wen't back to the point where I have to enter 3 times the password just to starts the recovery procedure... 

    But now I can't decrypt it anymore. The password isn't accepted in the unlock window, nor the stored bek file, nor the numerical key (yes, I know the keys are ok and the identifier is OK).

    I've installed a new Win10 Enterprise (Evaluation) just downloaded and updated (latest build). Checking the Windows logs I get: error id 24615 on BitLocker-Driver telling me that primary metadata record on volume X: could not be found and that the volume needs recovery.

    Ok, screw it, let's just recover what I need!

    Nope, I can't. recover-bde doesn't work with my password, my key nor my bek file.

    What now?

    Tuesday, July 25, 2017 4:12 PM

All replies

  • Restore your data from your backup. No backup?

    Some things to know:

    1 the auto-unlock mechanism stores a bek file on the system drive that is used automatically to unlock the data drive. When you decrypt the system drive, it is normal that the auto-unlock mechanism will HAVE TO BE shutdown and exchanged for a password or usb-based .bek file. In other words: if you have windows booted and try to decrypt c:, windows will not let you do that before the auto-unlock is turned off and exchanged for a password.

    Since you chose to decrypt the c: drive from your pen drive but did NOT decrypt the data drive as well, you are in big trouble. I am not sure if the .bek file for the autounlocking will still exist on c:. If not, the data drive is lost.

    --

    As for decrypting c: - are you perfectly sure that you did not use XTS-AES? Because that is not decryptable by windows 7 and will only lead to "password is incorrect". To decrypt that, you need windows 10 v1511 or higher or a setup disk of that OS'.

    Wednesday, July 26, 2017 6:27 AM
  • Hi,

    “Then I booted the machine with an alternative Win7 installation that I have on another disk for emergency operations”

    Since Windows 10 version 1511, Bitlocker use a new disk encryption mode XTS-AES by default. If you have not choose compatibility mode when you encrypt disk, we can’t decrypt the encrypted disk on a lower version than Windows 10.

    “error id 24615 on BitLocker-Driver telling me that primary metadata record on volume X: could not be found and that the volume needs recovery.”

    Unlocking volumes protected with BitLocker Successfully require Bitlocker read information about the volume and the encryption (called volume metadata) successfully. If you encounter hardware failure or disk physical damage, we will not decrypt Bitlocker normally.

    Please try the following link to back up your vital data from Bitlocker protected volume.

    How to use the BitLocker Repair Tool to help recover data from an encrypted volume https://support.microsoft.com/en-us/help/928201/how-to-use-the-bitlocker-repair-tool-to-help-recover-data-from-an-encr

    Best regards,

    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 26, 2017 7:41 AM
    Moderator
  • "Restore your data from your backup. No backup?"

    It's OS+progs. Instead of a backup+restore solution I prefer a full reinstall. The only thing lost here are hours of work configuring and going back to my setup/config. Restoring OS+progs partitions has always proven buggy to me. I have updated backup of my DATA drives, but they're unharmed.

    "Some things to know:
    1 the auto-unlock mechanism stores a bek file on the system drive that is used automatically to unlock the data drive. When you decrypt the system drive, it is normal that the auto-unlock mechanism will HAVE TO BE shutdown and exchanged for a password or usb-based .bek file. In other words: if you have windows booted and try to decrypt c:, windows will not let you do that before the auto-unlock is turned off and exchanged for a password.
    Since you chose to decrypt the c: drive from your pen drive but did NOT decrypt the data drive as well, you are in big trouble. I am not sure if the .bek file for the autounlocking will still exist on c:. If not, the data drive is lost."

    Auto-unlock was only selected for the data drive adn they can be decrypted with the password (I'm using them right now). I suppose that the bek files you are speaking of are of those data drives because the OS drive has to be auto-unlocked in order to work. Anyway I have the bek file for the OS drive, but it doesn't work at all.

    "As for decrypting c: - are you perfectly sure that you did not use XTS-AES? Because that is not decryptable by windows 7 and will only lead to "password is incorrect". To decrypt that, you need windows 10 v1511 or higher or a setup disk of that OS'."

    Yes, perfectly sure. I know that I selected the "AES only" because I know Microsoft and I know that using any new Microsoft technology is dangerous (I can tell you what problems Storage Spaces has, and also  ReFS). I try to avoid data loss (that's why I have up-to-date backups) and try to avoid hours of work (having the ability to boot from an earlier and more tested OS in order to do some work that new/buggy OS can't has saved me lots of work on countless ocasions).
    Also, I'm booting from a new Windows 10 Enterprise Eval build 15063 and it can't decrypt de OS with pwd, key, bek, prays, threats, whatever...



    "Since Windows 10 version 1511, Bitlocker use a new disk encryption mode XTS-AES by default. If you have not choose compatibility mode when you encrypt disk, we can’t decrypt the encrypted disk on a lower version than Windows 10."

    Yes, I've chosen "AES only". Also, I'm booting from a new Windows 10 Enterprise Eval...

    "Unlocking volumes protected with BitLocker Successfully require Bitlocker read information about the volume and the encryption (called volume metadata) successfully. If you encounter hardware failure or disk physical damage, we will not decrypt Bitlocker normally."

    The disk is intact, no hardware nor physical damage (at least not detected by S.M.A.R.T.). I didn't try a full byte-read of the disc but I don't see any of the problems related to a hardware error (lags, messages, etc.)

    "Please try the following link to back up your vital data from Bitlocker protected volume.

    How to use the BitLocker Repair Tool to help recover data from an encrypted volume https://support.microsoft.com/en-us/help/928201/how-to-use-the-bitlocker-repair-tool-to-help-recover-data-from-an-encr"

    The link is outdated (for example the new repair-bde doesn't accept -nov). Anyway, I've tried it with the new repair-bde that came in W10 and, as I said, I can't decrypt anything with my pwd, key, USB-drive nor bek file. I get messages telling me that with the {pwd/key/...} that I've provided, it can't be recoverered. And every time it fails, I get a log entry with error 24615.
    Thursday, July 27, 2017 5:53 AM
  • We do backup/restore procedures of OS drives for 15 years - no problems in particular. Maybe look at a different backup software. I can recommend http://www.drivesnapshot.de/en/index.htm

    If repair-bde does not help, there is no hope.

    Thursday, July 27, 2017 6:43 AM
  • Hi,

    Was the issue resolved?

    Bests,

    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 1, 2017 1:54 AM
    Moderator
  • Hi,

    Was the issue resolved?

    Because we have not heard from you for several days, I have to close the case temporarily. If you have any update, please post here. The  case will re-open automatically when you reply to us.

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 9, 2017 1:51 AM
    Moderator