- Overview
- Adding BitLocker Support to the Rescue Media
- Unlocking BitLocker-Encrypted Volumes in the Rescue Media
- Unlocking BitLocker-Encrypted Volumes Using a USB Drive
- Unlocking BitLocker-Encrypted Volumes with Manage-BDE
Overview
By default, Macrium Reflect rescue media does not include the components necessary to unlock a BitLocker-encrypted volume.
It isn't always necessary to unlock a BitLocker-encrypted volume when restoring an image of the encrypted partition. The partition will restore without issues, but it will require re-encryption on reboot.
However, unlocking the volume in Windows PE enables intelligent sector copy for faster imaging and cloning, Rapid Delta Restores for faster image restores, and enables access to encrypted volumes' contents, which is necessary if an image that will be restored is located on a BitLocker encrypted volume. Additionally, restoring to an unlocked volume will retain the encryption status of the volume when rebooting. More information about restoring BitLocker-encrypted volumes can be found here.
Adding BitLocker Support to the Rescue Media
Rescue media can be created using the 'Rescue' button on the quick actions menu at the top of Macrium Reflect or by selecting the 'Create Rescue Media...' option in the 'Other Tasks' menu on the top bezel:
Both of these options will open the 'Macrium Rescue Media Builder'.
In the Macrium Rescue Media Builder, select 'Advanced':
In the window that opens, ensure that 'Add BitLocker Support' has been selected:
Optionally, 'Automatically unlock BitLocker Volumes' can also be selected. If this option is selected, when Windows PE starts, any BitLocker-locked drives that were attached when the recovery media was created will automatically be unlocked.
Next, select 'OK'.
In the main Macrium Rescue Builder interface, select the media that will be used for the rescue media, then select 'Build':
Unlocking BitLocker Encrypted Volumes in the Rescue Media
For some users, having BitLocker-encrypted volumes unlock automatically without user input may present an unacceptable security concern. If 'Automatically unlock BitLocker Volumes' wasn't selected when the rescue media was created, BitLocker encrypted volumes can still be unlocked, but additional steps are required to unlock the BitLocker encrypted volumes.
Unlocking BitLocker-Encrypted Volumes Using a USB Drive
BitLocker-encrypted drives can be unlocked automatically using BitLocker Encryption Key files (.BEK) and/or BitLocker password TXT files located on the root of any USB drive.
To create a new BitLocker Encryption Key file (.BEK) and/or BitLocker password TXT file, right-click on the BitLocker-encrypted volume on the 'This PC' page of Windows Explorer, then select 'Manage BitLocker':
In the window that opens, select 'Backup your recovery key':
BitLocker Drive Encryption wizard select ‘Save to a USB flash drive’ and choose the USB device that will be used to unlock the encrypted volume in the rescue media:
Finally, click 'Save' and then 'Finish' in the BitLocker Drive Encryption wizard. This action will save a .BEK file and/or a recovery password text file to the chosen USB device.
The .BEK file is a protected operating system file; it is hidden by default and won't be visible within Windows Explorer. It can be made visible by changing Folder Options and deselecting the option to 'Hide protected operating system files.'
When Windows PE starts, ensure that the USB drive is attached to the system. The encrypted drives will then unlock automatically when Macrium Reflect initializes.
Unlocking BitLocker-Encrypted Volumes with Manage-BDE
Once the system has been booted using the rescue media, the BitLocker-encrypted partitions can be unlocked with the 'manage-bde' command.
To launch the Command Prompt, use the Command Prompt icon on the rescue media taskbar:
The 'manage-bde' command will display the available commands that can be used to interact with the BitLocker encryption:
X:\Windows\System32>manage-bde
BitLocker Drive Encryption: Configuration Tool version 10.0.26100
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
manage-bde[.exe] -parameter [arguments]
Description:
Configures BitLocker Drive Encryption on disk volumes.
Parameter List:
-status Provides information about BitLocker-capable volumes.
-on Encrypts the volume and turns BitLocker protection on.
-off Decrypts the volume and turns BitLocker protection off.
-pause Pauses encryption, decryption, or free space wipe.
-resume Resumes encryption, decryption, or free space wipe.
-lock Prevents access to BitLocker-encrypted data.
-unlock Allows access to BitLocker-encrypted data.
-autounlock Manages automatic unlocking of data volumes.
-protectors Manages protection methods for the encryption key.
-SetIdentifier or -si
Configures the identification field for a volume.
-ForceRecovery or -fr
Forces a BitLocker-protected OS to recover on restarts.
-changepassword
Modifies password for a data volume.
-changepin Modifies PIN for a volume.
-changekey Modifies startup key for a volume.
-KeyPackage or -kp
Generates a key package for a volume.
-upgrade Upgrades the BitLocker version.
-WipeFreeSpace or -w
Wipes the free space on the volume.
-ComputerName or -cn
Runs on another computer. Examples: "ComputerX", "127.0.0.1"
-? or /? Displays brief help. Example: "-ParameterSet -?"
-Help or -h Displays complete help. Example: "-ParameterSet -h"
Examples:
manage-bde -status
manage-bde -on C: -RecoveryPassword -RecoveryKey F:\
manage-bde -unlock E: -RecoveryKey F:\84E151C1...7A62067A512.bek
In the example below, 'manage-bde -unlock C: -password' has been used to prompt for a password to unlock the C: drive:
Once the manage-bde command has been run, the BitLocker encryption status of the partition will change in Macrium Reflect:
If the BitLocker encryption status does not update automatically, select 'Refresh' on the 'Create Backups' tab.
