none
Bitlocker autounlock : restore data without recovery key RRS feed

  • Question

  • Hello,


    I have got two hard drives in my laptop, both encrypted with Bitlocker.

    The first one, the system disk, is locked with a password and the second is auto unlocked on boot.


    X days ago, my Registry was corrupted and i am now unable to boot or repair Windows.

    I can unlock the system disk with password by putting the disk in an other PC (or even with manage-bde and a usb key to backup some data), but i can't find how can i unlock the second drive (i don't have the recovery key). Is there a file or an entry in the registry in the system disk that store the key to be able to unlock others drive on boot ?

    Thanks!

    Tuesday, July 19, 2016 6:30 PM

Answers

All replies

  • If you dont have the passcode or recovery key (or they dont work) the data is forever lost.

    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Tuesday, July 19, 2016 7:59 PM
    Moderator
  • Even if my first hard drive was able to unlock the second when Windows was able to boot ?

    How the second drive was unlocked is this situation ?

    Wednesday, July 20, 2016 8:22 AM
  • Hi Amoki,

    The recovery key is the only method we could use to get the data when a bitlocker drive is in recovery mode. If it is lost, I am afraid we will lost it forever as ZigZag pointed out. Please always keep the recovery key carefully.

    If the data is very important, we could try to ask for help from the professional data recovery support.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, July 21, 2016 2:58 AM
    Moderator
  • Hi Amoki.

    I would not be so sure that the previous answers are correct. Please read the comment on http://superuser.com/questions/561533/windows-bitlocker-and-automatic-unlock-password-storage-safety which tells you where the auto-unlock key is kept and how it is secured. Since it is protected by the user credentials, something that you have access to, izt should be possible to read the key from the unlocked system volume and use it to unlock your second hard drive.

    I never did this since we store recovery keys for all partitions automatically to active directory - please find out if you do the same and maybe are not even aware of that.

    Your best chance would be to research the key name FveAutoUnlock and see if you find something. It could also be that tools that claim to be able to recover bitlocker drives will offer to automate the process.


    Thursday, July 21, 2016 8:46 AM
  • Thanks Ronald!

    I found FveAutoUnlock in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FVEAutoUnlock but the data is encrypted:

    "The key and metadata to be stored in the registry are encrypted using the CryptProtectData() DPAPI function using the current user's login credentials and Triple DES (OTOH the actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant)."


    As I found it in KEY_LOCAL_MACHINE\SYSTEM\... instead of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock\, what are "current user's login credentials" then?
    How can I decrypt data? Do I have to read msdn docs and write some c# code or is there a different way?

    In summary: How to unlock a bitlocker drive with FVEAutoUnlock data?

    Thursday, July 21, 2016 10:40 AM
  • You will need to look into some articles. I told you, I did not need to do it before,

    The old user profile can be mounted in regedit as shown here: http://zeda.nl/index.php/en/load-user-registry-hive-in-regedit - have a look into the keys there. It will still be encrypted, of course. But that would be a user-specific key and you have the credentials for that user, so that will improve your situation.

    Maybe play with a trial of elcolmsoft's BL recovery tool.

    Thursday, July 21, 2016 10:48 AM
  • Hi,

    How about the issue, is there anything to update?

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, August 3, 2016 1:37 AM
    Moderator
  • I figured out how to decrypt a bitlocker drive using the FveAutoUnlock registry key.  Figured I would post that here, as this is the first google result for "FveAutoUnlock", for those that have noticed they have an auto-unlock key protector on their drive and are researching their options.  There is almost no other information about this that I could find, so hopefully this is helpful.

          

    In this case, the drive was encrypted in a SCCM task sequence, but the key failed to backup to AD. This means the SYSTEM account enabled bitlocker, and the key is under the system accounts user hive.  
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock


    This data is encrypted with DPAPI. Use NirSoft’s free DataProtectionDecryptor to access this data.  
    https://www.nirsoft.net/utils/dpapi_data_decryptor.html
    I exported the key to a reg file.

    To decrypt, you need to be able to run as the account that encrypted the key, on that machine.  Or have access to the user/password.  For me this was the SYSTEM account.  I ran psexec –s –i cmd to get a command prompt in the system account context.  I then started DataProtectionDecryptor from that prompt.
    Select the reg file and decrypt.

    I don’t pretend to understand the encoding, but after comparing a lot of key files, passwords, certs  and registry keys from test systems I determined that the highlighted values compromise the key.


    The next thing we need to do is to put this value into a key file.  To create a template key file to modify, I encrypted a test drive, and used the following command to save the key to file:
    manage-bde -protectors -get d: -SaveExternalKey "c:\temp"
    This created a {GUID}.bek file.
    I opened this file in HxD, a hex editor and saved it as KeyO.bek,
    I then replaced the last 32 values with the 32 values from the decrypted file.

    I then saved this file with a new name KeyT.bek.
    I copied the file to the target system and ran the following command:
    manage-bde -unlock d: -recoverykey c:\temp\keyT.bek
    To my surprise, it unlocked!

    • Proposed as answer by KngFuJedis Wednesday, January 24, 2018 8:50 PM
    Thursday, January 18, 2018 4:32 PM
  • Thanks for your detailed instructions, I followed it but it seems it doesn't work in my case.

    I have a computer with hardware TPM, so I enabled BitLocker for C drive, and also enabled autounlock for an external drive.

    One day I was trying to update the graphic driver so I used the tool "DDU" to remove the drive. After that I found it disabled the auto-unlock of the external drive. Unfortunately, I forgot the password and I didn't save the recovery key.

    I went to the registry and found the FVEAutoUnlock folder entry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock). I exported it, decrypted it successfully. Following your approach, I created a test BitLocker drive with another USB thumb drive, enable auto unlock on it and saved an external key. However, using that template and the modified key file, it failed to unlock the external drive I want.

    Moreover, I found that the key file I created for the test drive cannot unlock the test drive itself after I have disabled autounlock on the test drive. So I reenabled autounlock for the test drive, and I compare the external key files (password is the same), found that a large portion of it does change, so it seems the "template" isn't really interchangable at least for me case.



    • Edited by Sandbo Saturday, December 15, 2018 9:07 PM
    Saturday, December 15, 2018 9:05 PM
  • The recovery key is the only method we can use to get the data when a bitlocker drive is in recovery mode. If he's lost, I'm afraid we've lost him forever, as ZigZag pointed out. Please always keep the recovery key carefully.

    If the data is very important, we could try asking for help from the professional data recovery support.

    It is very important to remember this key.
    Saturday, December 15, 2018 9:16 PM
  • I think the reason that did not work for you, where it worked for me, is that my autounlock was not disabled.  It was just inaccessible because it was under the system account instead of a regular user's context. If autounlock is disabled, then the key you are retrieving from the registry is no longer one of the protectors on the drive.  Disabling it removes the protector.

    If you run "manage-bde -protectors-get driveletter:" you can see what protectors are on a drive.  You can have a lot of different key protectors (TPM, numerical password, DRA, etc...), and you should see one added and removed when you turn autounlock on and off.

    Monday, December 17, 2018 4:37 PM
  • Hello, 

    I have absolut the same case but I think I have problem with the template of the BEK file. 
    How did you encrypt the USB Device or HDD? 
    Was it on the same client or can I use any like my one? 

    Also my template BEK shows 9 rows instead of 7...

    Hopefully you can help me... 

    BR


    Tuesday, August 20, 2019 12:25 PM