1

I'm trying to obtain the 48-digit BitLocker recovery key from a failed drive. Here's what happened:

  1. Windows 10 Professional was installed on a Samsung 980 Pro 2TB drive. The login was a local user account with no password. No Microsoft account was used.

  2. Bitlocker was enabled. The computer after power on goes to the Windows desktop with no user input required (and with the drive unlocked).

  3. Samsung 980 Pro 2TB drive fails due to bug in firmware 3B2QGXA7. The drive is in permanent read-only mode, with most of the data still intact.

  4. Due to the read-only mode, Windows cannot boot normally. Windows also cannot enter recovery mode.

  5. I used Clonezilla to make a disk image of the failed drive for future recovery.

  6. I used Clonezilla to copy the entire Samsung drive onto a known good drive. Windows on Good drive still cannot boot normally. Windows on Good drive can now enter recovery mode with an admin command prompt.

  7. Now I can try to obtain the 48-digit BitLocker recovery key via the command prompt. manage-bde -status returns:

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

BitLocker Driver Encryption:
Volume C: []
[Data Volume]

    Size:                 1760.45 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:         None Found
  1. manage-bde -protectors C: -get returns:
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []
All Key Protectors

ERROR: No key protectors found.

Here's where I'm stuck. In normal situations, manage-bde -protectors C: -get would return the 48-digit recovery key. But in my case it says No key protectors found.

Improve this question
1
  • 1
    If your computer can hold two disks, try to get the key from the old disk rather than from its copy.
    – harrymc
    Commented Feb 3 at 9:30

2 Answers 2

Reset to default
2

No key protectors found means the disk encryption key is currently stored unprotected on the disk. In other words, although the disk is technically encrypted, BitLocker is still in a "permanently unlocked" mode and there is nothing that would need to be recovered yet.

At this point you can either add the standard protectors using -protectors -add -?, or disable BitLocker and decrypt the disk outright, or just carry on with your regular data recovery process.

Improve this answer
9
  • Thank you! Which protector would you suggest? I tried manage-bde –protectors –add C: -RecoveryPassword but it failed with ERROR (code 0x80310053) BitLocker Drive Encryption can only be used for limited provisioning or recovery purposes when the computer is running in pre-installation or recovery environments.
    – My other car is a cadr
    Commented Feb 3 at 18:15
  • @u1686_grawity The current command prompt in recovery mode is extremely limiting. Would it be possible to mount the Good copy drive on a fully working Windows 11 computer and perform the key extraction there?
    – My other car is a cadr
    Commented Feb 3 at 18:17
  • 1
    Ah, right, you're doing this from a recovery boot; I thought it was able to configure BitLocker but I guess it isn't. But what do you need the key extraction for? The disk already doesn't require a key to begin with.
    – grawity_u1686
    Commented Feb 3 at 18:18
  • 1
    I see, I guess that means cryptsetup on Ubuntu probably doesn't understand the concept of "encrypted but inactive" BitLocker yet. In that case you'll need to go through the full Windows installation to add some protectors (the point being that currently the disk has no keys at all, so there's nothing to "extract" yet – you'd be creating a recovery key). But a "recovery key" isn't the only way to decrypt a disk – it would be easier to add a plain old "password" protector instead. (A recovery key is kind of a secondary protector, after all.)
    – grawity_u1686
    Commented Feb 3 at 18:31
  • 1
    It is on disk, yes, and you can dump it with Dislocker or libBDE (or maybe cryptsetup bitlkDump? Crypsetup's Bitlocker support is a very new implementation and doesn't support all the edge cases yet), but the issue is that neither Windows nor Ubuntu would accept it as any input – the tools expect to prompt you for one of the protector keys, but the recovery key is not the same thing as the disk's AES key at all. (It's a key that would encrypt a copy of the disk's main AES key.)
    – grawity_u1686
    Commented Feb 3 at 18:48
0

The OP posted:

It's all good now. manage-bde –protectors –add C: -RecoveryPassword was exactly what I needed.

But I couldn't make sense why what they claimed was their salvation was also what they claimed didn't work in the early posts. What worked for me and I'm wondering if this is what they meant to paste in their comment as being their solution:

manage-bde -off C:

to begin the decryption process and

manage-bde -status

periodically to monitor the decryption percentage progress until it had completed. Thanks Alex

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .