4 Posts
0
17052
XPS 13 9360, Windows 10 Home, how to retrieve bitlocker key?
My XPS-13 was purchased with "Windows 10 Home" an a 256GB SSD drive. I did not know that it's data partition for the C: drive was already encrypted with bitlocker. It turns out that Windows 10 Home does not support bitlocker... nonetheless... some of the utilities are available to manage it (manage-bde). Virtually none of the Windows 10 Pro GUI dialog boxes are available to manage bitlocker. Only one button in a GUI is available to disable (unencrypt) the drive.
QUESTION: Should I disable bitlocker and decrypt this drive? Without the bitlocker key I'm living dangerously should I have to replace the drive. I've tried to get the key with the manage-bde and had no success. Also, I tried retrieving it from my Microsoft account. It only shows that bitlocker is SUSPENDED.
This problem came to light while doing an image backup with TeraByte Windows software. Only with certain settings (VSS locking) am I able to backup the image such that I can read the directories and files from the image in TBIView.
Walt Rogers
jphughan
4 Operator
4 Operator
•
14K Posts
1
April 27th, 2019 19:00
Here's the deal. As you've found, if your PC meets certain hardware requirements, Windows 10 Home will provide limited support for some BitLocker features under the name "Device encryption" as opposed to full BitLocker. At least some Dell system models that ship with Windows 10 Home ship with BitLocker "pre-staged", i.e. technically the C drive is encrypted, but BitLocker is suspended, so it behaves as a normal partition. The reason is that at this point, the user hasn't backed up a Recovery Key, so enabling encryption would be unsafe. If however you choose to link your Windows logon account to your Microsoft account, then your Recovery Key is backed up to your Microsoft account in the cloud and BitLocker is fully enabled -- which happens instantaneously because again, technically the drive was already encrypted in advance, so at this point BitLocker just needs to remove the plaintext key that was allowing the encryption to operate in suspended mode.
Unfortunately, the user isn't informed about any of this. They're not told that their drive is encrypted, where to get their Recovery Key if they ever need it, or even that there's a Recovery Key in the first place. And even worse, if the user ever sees a Recovery Key prompt (as they might after a BIOS update or other configuration change, or a motherboard replacement), that prompt doesn't even suggest checking their Microsoft account to find it, leaving them with no idea how to get a Recovery Key they didn't even know they ever needed -- because again, keep in mind that this Recovery Key prompt might be the first time the user learns that their drive was encrypted in the first place. There are several threads on these forums about this coming as a rather nasty surprise to people.
In terms of what to do, I have a Windows 10 Home system that can use BitLocker myself, and you actually CAN retrieve your Recovery Key using manage-bde. The command is "manage-bde -protectors -get C:". The Recovery Key is the "Numerical Password" protector. If you don't see one, you can add a Recovery Key protector by entering "manage-bde -protectors -add c: -RecoveryPassword". (Yes, RecoveryPassword is correct, because ironically "RecoveryKey" in manage-bde refers to a completely different type of protector than what BitLocker calls a Recovery Key in its user-facing interface. Gotta love Microsoft...) Additionally, manage-bde can actually be used to enable BitLocker even if you DON'T link your Windows logon account to a Microsoft account, which is what I've done because I like having my data encrypted but do NOT like using my Microsoft account to log onto my PC. I just made sure to add a Recovery Key to my drive before enabling it.
The other command you may want to use is "manage-bde -status". If the Protection Status of your C drive says "Off", it means your drive is either unencrypted or suspended, but you can fix either of those things with further manage-bde commands -- but again, add a Recovery Key and back it up before you flip it on. Or you can of course completely turn it off rather than just having it in suspend mode. Hopefully this helps!
jphughan
4 Operator
4 Operator
•
14K Posts
1
April 27th, 2019 19:00
@warogers999 in addition to my post above, since you're looking at disk imaging solutions, if you decide to keep BitLocker around, you might want to look at Macrium Reflect, since it has some very cool features where BitLocker is concerned, especially the paid versions.
For example, in general backups of BitLocker volumes will be performed while the partition is unlocked, i.e. encrypted but usable, as would be the case when you're using Windows in the case of your C drive. In that case, the data in the image backup itself will be in the clear. With Macrium Reflect, if you ever decide to restore that backup later, as long as you unlock (not fully decrypt) the target partition beforehand, Reflect can run a restore that both maintains the existing encryption on the target and only restores the data blocks that actually changed since the state of the backup you're restoring. Every other imaging solution I know of would have to restore the entire partition and would restore it in unencrypted form in this scenario, which both takes longer (potentially a LOT longer) and means you wrote unencrypted data to your disk. On top of that, when Reflect backs up a BitLocker partition, it tags it as having been protected (even if it was unlocked at the time of the backup) so that if you ever try to restore it in such a way that it would be restored unencrypted, it will actually warn you about this. That's very handy because the default BitLocker mode for the C drive is to just use the TPM, which means the user does not see a password prompt or anything even though encryption is enabled. This means that if the partition was restored unencrypted, the user might otherwise never even notice that because the boot behavior won't be any different than it was when encryption was active.
One other perk if you ever need to perform periodic disk cloning is that Reflect can clone a BitLocker partition to another BitLocker partition and maintain the unique encryption on both disks. So even if you run a clone while your source partition is unlocked, you can clone it to the destination, and not only will the destination keep its BitLocker encryption, it will even keep its unique Recovery Key and such. And similarly to the image restore situation, if you perform periodic clones between the same source and destination, Reflect will only need to clone the data blocks that have changed since the last clone rather than cloning the entire partition every time. It's very cool.
Macrium has a great KB article about their BitLocker support here if you're curious.
warogers999
4 Posts
0
April 27th, 2019 20:00
Thanks...
I'll check out Macrium Reflect. Image backups with bitlocker partitions looks to be a PITA. I may just decrypt it on my notebook. My financial records are in a separate encrypted file with Truecrypt/Veracrypt (mountable).
Walt
jphughan
4 Operator
4 Operator
•
14K Posts
0
April 27th, 2019 20:00
I use Reflect to image BitLocker partitions on my own system and several other systems I support as an IT consultant, and with Reflect it’s literally as easy as imaging unencrypted partitions. The only decision to make is whether you want to embed auto-unlock keys for your BitLocker partitions into your bootable Rescue Media for convenience. If not, you need to use manage-bde to unlock the partitions manually in that environment if you want to take advantage of features like BitLocker Live Restore.
warogers999
4 Posts
0
April 28th, 2019 12:00
jphughan...
Thanks for this information on bitlocker encrypted drives for Windows 10 Home Dell products. Yes, figuring all this out was very time consuming. Your explanation has cleared it up for me (almost). I had already tried to get a key from manage-bde, but that failed.However, with your note I was able to add a key and now have it stored in a "safe place", a Truecrypt/Veracrypt vault mountable as a file I already use to protect important personal or financial records.
Since I'm not an enterprise users... just a home user, I think that I'll just decrypt the who drive (actually just the C: partition) and keep using my Truecrypt private encryption vault. That vault which is a file can easily be moved around, saved or sync'd with Dropbox. Given that Win 10 Home does not support bitlocker, there are lots of complexities of managing bitlocker (i.e. Googling around and reaching out to support forums) for someone who is not a professional system administrator. I suspect that there may be other unforeseen problems with image backups or replacing the drive that could cause problems in the future.
Thanks again...
Walt
jphughan
4 Operator
4 Operator
•
14K Posts
0
April 28th, 2019 13:00
warogers999
4 Posts
0
April 28th, 2019 15:00
jphughan
Thanks for info on making sure Truecrypt/Veracrypt container files updates time stamp when updated files are modified.
My XPS-13 SSD C: drive is now unencrypted. No more bother with the complexities of image backups of bitlocker encrypted partition. I'll just make sure important info is in my Trucrypt container filesystem. Hope that this helps others with their Laptops.
Walt Rogers
mkoundo
1 Message
0
June 12th, 2019 21:00
Thank you for a very helpful post JP. i'm contemplating using bitlocker on my laptop (xps13 9380). It has two partitions: C: system drive and D: for data. Since i'm on Windows 10 home, i must use command line manage-bde. My laptop has tpm 2.0. I would like the boot up to be seamless with windows ie no additional password entry every time I start windows.
As I understand it, the commands i need are:
to check current status:
manage-bde -status
(currently all off but when i bought the laptop it was on as per your description)
Do i need to clear out the TPM before proceeding?
Add TPM key protector for each partition:
manage-bde -protectors -add c: -tpm
manage-bde -protectors -add d: -tpm
Add Recovery password in case i need to decrypt the partitions on another computer:
manage-bde -protectors -add c: -rp
manage-bde -protectors -add d: -rp
save recovery password:
manage-bde -protectors -get c:
manage-bde -protectors -get d:
Turn Bitlocker On with AES256 key and used space only encryption
manage-bde -on c: -em AES256 -used
manage-bde -on d: -em AES256 -used
To turn off: manage-bde -off c:
manage-bde -off d:
***In case of emergency or to unlock the drive on another pc, use the recovery password:
manage-bde –unlock d: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888
To pause protection, for example to update bios
manage-bde -protectors -disable c:
and then to re-enable:
manage-bde -protectors -enable c:
Does protection on the d: drive need to be paused for a bios update?
***Am i correct in assuming that I all i need to decrypt the drive on another pc is the recovery password? Are there any other commands that I'll definitely need? I'm currently using aomei backupper for system imaging and backup, but macrium reflect seems to have some great bitlocker related options. Will definitely look into using that? cheers