What we are actually doing
This is a guide that walks you though decrypting a Bitlocker encrypted drive when you need to perform startup repair and don’t have the recovery key.
What you need
- Windows Install/Recovery disc or USB drive
- The Bitlocker password
So I had a problem this morning, my computer ran updates last night and some Windows startup files got corrupted. Normally this is an easy startup repair but being security oriented as I am I run Bitlocker encryption on all my drives. Not big deal I think, I create a Windows install disk using my laptop. Boot the desktop using the USB drive and select repair my computer and I am prompted to enter the recovery key. I type in my recovery password, or tried to. Re-read the prompt above and realized, I don’t have the recovery key for my C drive. I didn’t back it up as I should have. I skip the drive and all the other drives because I only need to decrypt my C drive.
So there is no actual way to get the recovery key even if you have the Bitlocker password. However, if like me you need the recovery key for a boot time repair operation or similar, or maybe you just want to decrypt the drive then you are in luck because I managed to do just that.
- Boot the computer you are trying to work on from the Windows install disc/USB drive
- Select your language
- In the bottom left corner click on the small text that says “Repair your Computer”
- From the options select “Troubleshooting”
- From Advanced options select Command Prompt
- You will be prompted for your recovery key, click “Skip this drive”, repeat for any other encrypted drives.
- From the command prompt type:
- If you only have one drive this should be easy, if you have more than one encrypted drive you will need to properly identify the disk you are trying to fix.
- To unlock the drive type:
manage-bde -unlock C: -password
- Enter your password for the drive and if you enter it properly you will be given a message “The password successfully unlocked volume C:.”
- Next type the following to decrypt the drive:
manage-bde -off C:
- You should get a message that “Decryption is now in progress.”
- Use the “
manage-bde -status” command to monitor the progress of the decryption
- Once the “Percentage Encrypted:” is 0.0% you can reboot and perform any necessary maintenance.