none
BitLocker doesn't save startup key to USB drive

    Question

  • After encrypting a drive with BitLocker, I tried to save the startup key to a couple of different USB drives.  The key simply will not save.  I can save the recovery password to any of those drives, but saving the key produces nothing.  Why might this be happening?
    Friday, February 09, 2007 9:13 PM

Answers

  • YES , Is USB boot support required for BitLocker to work correctly with a USB key? YES
    Wednesday, February 14, 2007 6:58 PM
  • Thank you! This clarifies what I needed to know. In that case I won't try fighting the odds any further.
    Wednesday, February 14, 2007 7:32 PM

All replies

  • Check the bios of your computer , It sound like it may need a upgrade
    Friday, February 09, 2007 10:53 PM
  • Why would that prevent the key from being saved if everything else can be written? This is not a TPM system, BTW -- I specifically edited Group Policy to allow a USB key to be used as the key module.

    There are no other problems with this system's USB as far as I know -- I can read and write from drives with it just fine.  It's just that it refuses to write the key certificate to the drive.
    Friday, February 09, 2007 11:03 PM
  • let me look into that further for you.

     

    Saturday, February 10, 2007 3:06 AM
  • Thanks, it's appreciated.

    Just so you know, I did try this with a variety of drives, formatted as FAT, FAT32 and NTFS. None of them worked, which leads me to think there's something else wrong.
    Sunday, February 11, 2007 5:21 PM
  • I have exactly the same problem.

    There is no confirmation after pressing 'duplicate startup key on usb drive'.

    The key is invisible on the USB drive.

    Even though the startup key was copied to the USB key when Bitlocker was turned on the first time, Bitlocker will not recognize the key if it is in the drive when the computer boots.

    Recovery works ok (thank god)

    Asus z63A Sept/05 with 2006 BIOS

     

    Thanks

    Peter

    Monday, February 12, 2007 12:09 AM
  • I suspect there's some problem that both of us are experiencing that's causing this.

    One thing I can think of that might be out of the ordinary is that I used the newly-available BitLocker Drive Preparation tool to ready the system for use.
    Monday, February 12, 2007 12:28 AM
  • So did I, but I don't think that would be the problem.

    When enabling Bitlocker, after saving the Startup Key to the USB drive it asks for the 'Recovery USB' drive to be inserted.

    I happened to have the recovery key on *another* USB drive and inserted that.

    I think that Bitlocker then 'authenticates' all the components of the encryption system including that particular USB drive. So that could be my problem.

    Since there was no 'requirement' for a recovery USB (could save to folder or print) I'm thinking that this is an error in terminology and that they mean the Startup USB Key.

    Anyway I'm going to try to start Bitlocker (3rd time) tonight and I'll use the Startup USB Key when asked for the Recovery USB Key; and I'll let you know how it goes.

     

    Monday, February 12, 2007 12:40 AM
  • Well, I tried 3 x again last night but each time failed on reboot saying Bitlocker could not recognize my USB key. I followed the instructions exactly. I notice the instructions don't tell you when to take out a USB key, if that matters.

    I had Bitlocker partially working previously with a different (old) USB key. Although it may have been booting by the Recovery key. It is confusing.

    This key is new U3 2G FAT. Of course the new key seems to work fine in all other respects.

    Most likely there is something amiss in my BIOS which is mucking up the works.

    Unlikely that Asus will produce a new BIOS for an 18 month old machine, so I guess there was no reason for me to buy Ultimate after all.

    Guess I'll start saving for a TPM machine in the future.

    Monday, February 12, 2007 1:12 PM
  • can you boot your computer from a usb stick as a bios option ?
    Monday, February 12, 2007 2:13 PM
  • A 'removable drive' is offered in the pick list for boot order.

    However, Bitlocker instructions state that the BIOS be set to boot first from the HD.

    Maybe I'll try it with 'Removable drive' set as first pick.

     

     

    Monday, February 12, 2007 2:30 PM
  • If you can boot from a usb drive that the 1st test for will usb work with bitlocker
    Monday, February 12, 2007 5:53 PM
  • This machine is vintage 2006, so I'm fairly sure it supports booting from USB (although I haven't tried explicitly).

    What I am confused about is this: Why would that prevent BitLocker from being able to save the encryption key to a USB drive when Windows is running?  And on top of that, why does it fail silently with no error to indicate why it's not working?  I guess that's my biggest source of confusion: I want to know why it's not working and what I can to do fix it if possible.
    Monday, February 12, 2007 6:06 PM
  • I agree with Serdar, the lack of feedback as to whether the USB Key is saved is very confusing. Especially considering the critical nature of the KEY. For example, the consequences of someone thinking they had saved or copied a key, only to find out that this wasn't the case could be catastrophic.

    With regard to my problems:

    I changed the order of booting in the BIOS to favor 'removable device' (and then tried all other combinations of DVD/HD etc).

    This enabled all the Bitlocker tests to be passed. However, it will not boot from the USB Startup Key.

    This is another area of confusion. How is it the machine is not flagged by Bitlocker when it won't boot from the USB Startup key?

    It will recover from another USB key with the recovery password.

    I think the BIOS for this machine is not sufficient. Another possibility is that the USB Key I just bought doesn't work properly, although it seems to work fine in all other respects.

     

     

    Monday, February 12, 2007 10:59 PM
  •  

    I have the same problem, after I run Bitlocker for the first time and initialise the USB Key and save the password, after the restart I received the warning message that the Key cannot be found.

    I have a Sony VAIO S4 Notebook with a fresh install of Vista Ultimate, and the USB Key works with all normal use, however I do not have the option to book from USB key via my BIOS.

    Wednesday, February 14, 2007 3:10 PM
  • Then you need a BIOS upgrade contact Sony, My VGN-SZ notebook can boot of usb
    Wednesday, February 14, 2007 5:06 PM
  • Thanks, I will get on to them to see if they have a newer bios than the one on their site, will let you know the results!
    Wednesday, February 14, 2007 5:15 PM
  • My notebook is a Sony VAIO VGN-TX770P.  Sony's support site has no updated BIOS for it, and there is no provision for booting from a USB drive in BIOS.

    Let me ask this as unambiguously as I can: Is USB boot support required for BitLocker to work correctly with a USB key?
    Wednesday, February 14, 2007 5:53 PM
  • YES , Is USB boot support required for BitLocker to work correctly with a USB key? YES
    Wednesday, February 14, 2007 6:58 PM
  • Thank you! This clarifies what I needed to know. In that case I won't try fighting the odds any further.
    Wednesday, February 14, 2007 7:32 PM
  • Bitlocker just seems to have problems.

    On a fresh load of windows ultimate, I was sucessful in getting the key saved to USB drive and the whole thing worked well.

    I reinstalled windows, and did exactly the same thing, only this time bitlocker did NOT save my key to the USB drive, so now I have the same problem as the rest of you guys.

    So I can tell you, it has nothing to do with the BIOS. There just seems to be a flaw with the software, as nothing i did on the second time around was different to the first.

     

    I hope microsoft fixes this.

     

    Shane

    Tuesday, March 13, 2007 4:47 AM
  • Same story for me. If anyone has an answer to this, please post it. I was hoping to make a SPARE key on another USB flash drive in case the original USB flash drive (which works great) gets lost or damaged, but, I guess that's not possible right now.

    I even tried just copying the file over to the other USB flash drive from the original USB flash drive, but bitlocker still didn't recognize the new usb drive.
    Tuesday, June 05, 2007 12:32 AM
  • At first I thought my installation also didn't save the file, but it's a system/hidden file.

     

    Friday, December 07, 2007 7:10 PM
  • I have got Bitlocker working on my nonTPM computer and saved the startup key to a USB flash drive.  My problem is that I have not been able to make a duplicate startup key.  When I attempt to do so, Bitlocker seems to save the startup key to the USB dirve.  I can see a file name on the USB drive for the startup key when I set folder view to reveal hidden OS files.  However the startup key itself does not appear to be saved to the USB drive, only the file name.  The proof of this is that the startup key does not work.  The problem is not with the BIOS because the original startup key works.  It is only the duplicate that does not work.  I attempted to make duplicates using five different USB drives from four different manufactures.  None of the duplicates worked.  I spent many hours on the telephone speaking to Microsoft Technical Support.  They were no help at all.  Since the duplicate startup key is a Bitlocker feature, Microsoft should make it work or remove it from Vista.  It is really too bad that they treat their customers so poorly.

    Wednesday, February 27, 2008 8:30 PM
  • That is because you don't have "show hidden files and folders" selected and  "hide protected operating system files" deselected in the "folder options" control panel.  After doing that you will see a <GUID>.BEK file in the root of your USB drive. (GUID stands for Globally Unique IDentifier, which is a fancy word for random seeming string of characters).  I does not just "fail silently".  Also, double check that your motherboard has the ability to boot from usb (or atleast see the USB drive).  My machine is a 2007 build, and it doesn't have that option.  Oh well, I need a new machine anyways...
    Thursday, March 20, 2008 6:06 AM
  • Thank you for the information.  Unfortunately, you have assumed that I have not selected "show hidden files and folders".  In fact, I have.  You also missed the point that the original USB startup key works.  It is only the duplicate that does not work.  This proves that the problem is not with my motherboard or with the BIOS.  I am able to create the first startup key which then works fine.  I have been trying to create a duplicate startup key in case the first one gets lost or damaged.  And yes I have saved the bitlocker password and know that I could also use it in case I don't have the startup key on a USB drive.

     

    When I try to make a duplicate startup key, it does not work.  When I explore the USB drive, the file is there but it does not work.  Microsoft technical support has not been able to provide me with a solution.  I have tried a variety of USB drives but none work as duplicates.  I think the problem is with the Bitlocker manage keys program for creating a duplicate.  I even tried to clone the USB key that works but that effort also failed.

     

    Thursday, March 20, 2008 7:10 PM
  •  Eric-3 wrote:

    When I try to make a duplicate startup key, it does not work.  When I explore the USB drive, the file is there but it does not work.  Microsoft technical support has not been able to provide me with a solution.  I have tried a variety of USB drives but none work as duplicates.  I think the problem is with the Bitlocker manage keys program for creating a duplicate.  I even tried to clone the USB key that works but that effort also failed.

     

    I have escalated this internally. Can you tell me, in the mean time, if the duplicate keys you've made work as recovery keys? In other words, if you start the machine with no USB, get the recovery screen, and then insert the key.

    Thursday, March 20, 2008 11:26 PM
  • No they do not.

     

    Saturday, March 22, 2008 12:54 AM
  • Some of the people here are wrong....

     

    Bitlocker DOES save a duplicate key to the USB drive, but it doesn't save the accompanying txt file that was originally saved.  Unfortunately, the duplicate BEK key does not work.

     

    I've got my original key on a SSLLOOWW PNY mini Attache 512mb drive formatted with NTFS.  Works fine, but that drive is not going to last a long time in my pocket or on my keychain as it's made out of really cheap plastic.

     

    As such, I bought a SanDisk Titanium Cruzer 2gb with U3.  I have tried saving a new duplicate key.  I've tried copying and pasting both the original BEK and TXT files.  The files are on the drive.  I removed the U3 partition and reformatted.  I've tried every file system (FAT, FAT32, NTSF, exFAT) and nothing works.

     

    Upon booting with the Cruzer, the system is hanging for a VERY long time before prompting for inserting a USB drive containing the key.  I take out the Cruzer, put in the old PNY, reboot, and it boots right away everytime.

     

    I've got Vista SP1 x64 (legit) installed with all updates, with Norton Internet Security (no warnings).

     

    Hope this helps....  Please fix this.
    Wednesday, March 26, 2008 1:48 PM
  • Here's something else...

     

    Today I reinstalled Vista x64 and tried to save an original key to my Cruzer.  It saved it, but at reboot I got the following error:

     

    The system firmware failed to enable clearing of system memory on reboot.

    No encryption applied, any changes made to C: during Bitlocker setup will be removed.

     

    And, leaving the USB drive in during booting, the drive was not initially recognized by the laptop.  When I removed and reinserted, the drive appeared and functioned normally.

     

    Don't have time to try it with the old PNY drive tonight, maybe tomorrow.

    Thursday, March 27, 2008 5:47 AM
  •  

    Bitlocker is working again with my old PNY drive.

     

    Is this maybe due to a size issue on the USB drive during boot?  Why will the 512 work and not the 2gb?

     

    Have an HP dv9700t laptop running a Core2Duo T9300 with 4gb RAM on Intel PM965 chipset.

    Thursday, March 27, 2008 4:08 PM
  •  

    I feel like I'm talking to myself.

     

    OK....I contacted HP customer support regarding whether it was a possible compatibility issue due to the brand/model or even the size of the 2gb vs. 512mb.....and, as I kinda expected, they were absolutely worthless, and couldn't understand I was talking about a pre-OS environment.  They just wanted me to install updates for Vista.  HP's BIOS is extremely limited, so really nothing to tinker with there.

     

    I dug out a VERY old, like 10 years old, 256mb drive that cost around $50 when it was new.  Maybe more.  In any case, was able to save the key and the text file no problem......and to my surprise, it booted right away.  It's a SanDisk.

     

    So, at least for me, the problem wasn't Bitlocker, it's some sort of compatibility issue between HP's motherboard/BIOS and that particular USB drive, or perhaps the size of drive.

     

    If more people would post about specifics (make/model of computer, make/model of USB flash drive, size of drive, mobo chipset (mine's a PM965)), perhaps this all might make a little more sense.

     

    I'm going to return the Titanium Cruzer and try something else.  Hopefully I can find a 512mb Titanium Cruzer to replace it and see if that works.

    Friday, March 28, 2008 6:18 PM
  •  

    I was having this same issue.  I tried with a Sandisk Cruzer,  I tried it with a lexar, and a corsair 4gb flash voyager.  All failed.

     

    I then tried it with a memorex 2gb USB drive,  and it worked without a problem.  

     

    For the record, I'm using it on a toshiba satellite A135-4517 without a TPM module.

    Hope it helps.

     

    jeff

     

    Friday, May 09, 2008 12:20 AM
  • Sorry for taking so long, it looks like you already found a USB drive that works. I have tried keys on 7 different USB drives and none worked except for my 2gb USB Memorex as well. However, I also found that all those USB drives that do not work on my desktop work on my Notebook (dell M1530 received literally 4 days ago...no TPM). It appears to be a BIOS or driver issue, haven't figured out which one yet.


    Wednesday, July 02, 2008 1:37 AM
  • Okay, it has something to do with U3 (the program which turns a USB drive into a smartdrive), since my dell has a more updated BIOS, I'm thinking the BIOS in my desktop is preventing the file from being loaded upon startup.
    Wednesday, July 02, 2008 1:48 AM
  • Hi, I was experiencing the same problem & after researching further i discovered......  The key does save to the usb pen as a hidden file. It will work as the original does but you have to make sure that *Boot from External usb* is enabled in the bios. My smartkey would not unlock the system hdd at bootup,, as soon as I enabled this setting it worked perfectly. Hope this help you.
    Monday, October 05, 2009 8:07 PM
  • I forgot to add that that the internal hdd must be set to boot 1st in priority other wise it will not work.

    Monday, October 05, 2009 8:17 PM
  • OK Guys, i think one of the main problems you're having is the U3 drive.

    U3 usb drives (and others), when in serted into a machine first show up a non-writeable section of the drive which then loads up the data section of the drive. In windows this is where the U3 autorun installation files are held, this shows up first, then after inntalling and running the U3 application the rest of the drive shows up as a seperate drive.

    These drives won't work in other machines / platforms as a normal usb drives, i.e if you inserted this into say a dvd/media player which supports files on USB, the player will only see the first USB partition (the one with the U3 installtion files) not the data section.

    Bitlocker requires the ability to read the key files in a pre-boot environment from the BIOS. Aagain here the BIOS will only see the first U3 section of the drive.

    Try using a normal / vanilla USB drive, one that only shows up a a normal USB mass storage drive. No other fancy stuff. :)



    Sunday, November 15, 2009 1:10 PM
  • as I've said above, U3 is not a normal usb dirve, on insertin the first thing it represent's is a applicaiton section, usually in the form of a usb connected cd drive, so that the u3 installation files can run first then the data section is loaded.

    in a pre-boot environment the bios will only see this first USB / cd drive / section conataining the u3 installaion files not the data section. uninstall u3 (lookup u3 remover) try it ;)
    Sunday, November 15, 2009 1:18 PM
  • Make sure you use a usb drive no larger than 512mb.  The gigabit usb drives aren't recognized on older bios versions.  I had the same problem where bitlocker did not see the key on my 1 gig usb drive.  So I used a 256mb and it worked perfectly the first time.

    Wednesday, April 21, 2010 2:35 PM
  • Hi I am currently using Windows 7 (Ultimate) in a VMware workstation. I had the encountered the same problem with the others. After encrypting the C: drive and restarting the workstation, my startup key in my thumb drive was not detected even though I had it saved and plugged in. Does the fault lies on the VMware(doesn't support boot up from thumbdrives)? I can't run a test anywhere else because of some technical difficulties I have on my host. Althought this question might not be totally related to Windows, i hope that someone that has experience in Vmware could answer my question. Thanks
    Friday, October 01, 2010 8:08 AM
  • i have this message on decryptatineg my external hard disk

    error recovering disk h:a recovery key was not found on this drive. the drive cannot be unlocked

    and i need data on it

    what can i do ???

    answer me soon

     

    Thursday, October 14, 2010 6:24 PM
  • I suggest you post this as a separate thread, not as a reply to something else.
    wsf
    Friday, October 22, 2010 6:56 PM
  • I was killing myself trying to figure out why my OS would not detect the key on the USB drive after the initial test reboot.  I can see the key being save and it's a valid file.  After rebooting, it would not read it.  Tried so many different things and then found it.  The flash drive has to be formatted as NTFS for it to work.  I had it as FAT.  Once formatted as NTFS the key was detected and worked great!
    Saturday, August 25, 2012 11:14 PM
  • I had similar problems getting Windows 7 Bitlocker on a fairly recent Sony VAIO to start with a new 8Gb HP USB drive, where it was fine with an old (smaller) one. It was just hanging at the start, not even an error message.

    I don't think its got anything to do with file system format. Maybe with some BIOSes its got something to do the drive size.  I tried reformatting NTFS, FAT32 etc, copying back the .bek files etc.  but no luck. However when I deleted the existing partition and recreated it as 512Mb (default format from diskpart was FAT) then it worked ... finally.

    Tuesday, October 02, 2012 6:38 AM
  • Actually, it does save. Here is how you can view it:

    1. Navigate into USB drive like you would any other

    2. Click on "Organize" in the upper left corner, then "Folder and Search Options"

    3. Go to the "View" tab

    4. Enable "Show hidden files, folders, and drives"

    5. Disable "Hide protected operating system files (recommended)"

    6. Click "OK"

    7. View as you wish

    8. When done, reverse these steps so you don't mess up anything important


    • Edited by mkemp4697 Saturday, November 30, 2013 3:06 AM typo
    Saturday, November 30, 2013 3:06 AM
  • Hi Eric,

    Can I check with you if MS replied to you on the problem you raised several years ago?

    Eric-3 wrote:

    When I try to make a duplicate startup key, it does not work.  When I explore the USB drive, the file is there but it does not work.  Microsoft technical support has not been able to provide me with a solution.  I have tried a variety of USB drives but none work as duplicates.  I think the problem is with the Bitlocker manage keys program for creating a duplicate.  I even tried to clone the USB key that works but that effort also failed

    I am experiencing the same problem right now trying to duplicate the startup key and having no success.

    Would appreciate if you can recall any solution to this problem

    Thank you very much

    Monday, August 15, 2016 2:14 AM
  • I don't know if this is a different issue but I had to enable show system files in order to see the .bek key.  By which time I had four through retrying!  Not sure when in the process it is created.  So now decrypting to start afresh!

    I am assuming that if the restart to check that usb key works succeeds, then presumably the machine is 'booting' from the usb key (.bek file)...?

    I can only assume that the .bek file is a system file as well as maybe a hidden file???

    UPDATE: Having started afresh with empty USB, and with system files and hidden files showing, I watched what happened.  BitLocker Recovery Key saved first, then TWO .bek keys......I'm confused as to why two, unless it has created one for each partition although I do not yet have BitLocker turned on my data partition.

    Otherwise, maybe it creates one for the Windows recovery partition?  Although I thought I had read that this remained unencrypted...?

    Does anyone know?

    • Edited by kevvyb2017 Saturday, January 28, 2017 12:45 AM
    Saturday, January 28, 2017 12:35 AM