Today I was asked for the BitLocker Recovery Key for a previous client. Since they’re not my client anymore that’s information that I don’t (and wouldn’t want to) have in my possession.
That begs the question;
“What do you do if you lost (or if nobody documented) the BitLocker Recovery Key”?
If you have administrator access to the running server, obtaining the key can be done from an Administrative Command Prompt with manage-bde.exe.
GETTING HELP
Typing the name of the executable with no parameters outputs the help file.
manage-bde
BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.manage-bde[.exe] -parameter [arguments]
Description:
Configures BitLocker Drive Encryption on disk volumes.Parameter List:
-status Provides information about BitLocker-capable volumes.
-on Encrypts the volume and turns BitLocker protection on.
-off Decrypts the volume and turns BitLocker protection off.
-pause Pauses encryption or decryption.
-resume Resumes encryption or decryption.
-lock Prevents access to BitLocker-encrypted data.
-unlock Allows access to BitLocker-encrypted data.
-autounlock Manages automatic unlocking of data volumes.
-protectors Manages protection methods for the encryption key.
-tpm Configures the computer’s Trusted Platform Module (TPM).
-SetIdentifier or -si
Configures the identification field for a volume.
-ForceRecovery or -fr
Forces a BitLocker-protected OS to recover on restarts.
-changepassword
Modifies password for a data volume.
-changepin Modifies PIN for a volume.
-changekey Modifies startup key for a volume.
-upgrade Upgrades the BitLocker version.
-ComputerName or -cn
Runs on another computer. Examples: "ComputerX", "127.0.0.1"
-? or /? Displays brief help. Example: "-ParameterSet -?"
-Help or -h Displays complete help. Example: "-ParameterSet -h"Examples:
manage-bde -status
manage-bde -on C: -RecoveryPassword -RecoveryKey F:\
manage-bde -unlock E: -RecoveryKey F:\84E151C1…7A62067A512.bek
CHECKING DRIVE STATUS
To check the BitLocker status of all drives, type:
manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume E: [BARRETT]
[Data Volume]Size: 14.50 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None FoundVolume G: [BARRETT32GB]
[Data Volume]Size: 29.02 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Note: You may notice in the above example that the C: volume is not shown. That’s because on this PC BitLocker has not been setup yet.
OBTAINING AN EXISTING RECOVERY KEY
To output the key to the screen, just type the following:
manage-bde -protectors c: -get
(*Or whatever drive letter for which you need the key).
HOW DOES THAT WORK?
If you would like to know about the protectors and get flags, type:
manage-bde -protectors -get -h
Or you can check out more info on TechNet
https://technet.microsoft.com/en-us/library/ff829848.aspx
I hope that helps!