|

Recovering Bitlocker recovery key when you have the password

What we are actually doing

This is a guide that walks you though decrypting a Bitlocker encrypted drive when you need to perform startup repair and don’t have the recovery key.

What you need

  • Windows Install/Recovery disc or USB drive
  • The Bitlocker password

Background info

So I had a problem this morning, my computer ran updates last night and some Windows startup files got corrupted. Normally this is an easy startup repair but being security oriented as I am I run Bitlocker encryption on all my drives. Not big deal I think, I create a Windows install disk using my laptop. Boot the desktop using the USB drive and select repair my computer and I am prompted to enter the recovery key. I type in my recovery password, or tried to. Re-read the prompt above and realized, I don’t have the recovery key for my C drive. I didn’t back it up as I should have. I skip the drive and all the other drives because I only need to decrypt my C drive.

The workaround

So there is no actual way to get the recovery key even if you have the Bitlocker password. However, if like me you need the recovery key for a boot time repair operation or similar, or maybe you just want to decrypt the drive then you are in luck because I managed to do just that.

  1. Boot the computer you are trying to work on from the Windows install disc/USB drive
  2. Select your language
  3. In the bottom left corner click on the small text that says “Repair your Computer”
  4. From the options select “Troubleshooting”
  5. From Advanced options select Command Prompt
  6. You will be prompted for your recovery key, click “Skip this drive”, repeat for any other encrypted drives.
  7. From the command prompt type: manage-bde -status
  8. If you only have one drive this should be easy, if you have more than one encrypted drive you will need to properly identify the disk you are trying to fix.
  9. To unlock the drive type: manage-bde -unlock C: -password
  10. Enter your password for the drive and if you enter it properly you will be given a message “The password successfully unlocked volume C:.”
  11. Next type the following to decrypt the drive: manage-bde -off C:
  12. You should get a message that “Decryption is now in progress.”
  13. Use the “manage-bde -status” command to monitor the progress of the decryption
  14. Once the “Percentage Encrypted:” is 0.0% you can reboot and perform any necessary maintenance.