Today we’ll describe how to recover data from a damaged or inaccessible hard drive encrypted using BitLocker. We will show you a simple case and a case with a damaged BitLocker drive. Such a issue may occur due to file system corruption on an encrypted disk (for example, damage to the hard disk area in which BitLocker stores important information caused by an unexpected system shutdown), the inability to boot the OS or the BitLocker recovery console, and similar failures that prevent normal opening of the encrypted. The described problems can arise both with a system disk, and with a removable external or USB disk.
We will use the utility Repair-bde.exe (BitLocker Repair Tool) for data recovery, a command line tool appeared in Windows 7 / Server 2008 R2. It is used to access and recover the encrypted data on a damaged drive encrypted with BitLocker.
- Requirements for data recovery from a BitLocker volume
- How to unlock a BitLocker encrypted drive in Windows?
- How to unlock a BitLocker drive where Windows is installed?
- Data recovery using the BitLocker password
- Decrypt the volume using a Bitlocker recovery key
- How to access a BitLocker encrypted drive in Linux?
Requirements for data recovery from a BitLocker volume
To recover data from a BitLocker-encrypted drive, you must have at least one of the following BitLocker security elements:
- BitLocker recovery password (the one that you enter in the Windows GUI when you unlock an encrypted disk);
- The BitLocker Recovery key;
- System startup key (.bek) – a key on a USB flash drive that allows you to automatically decrypt the boot partition without requiring the user to input a BitLocker password.
The BitLocker Recovery Key is a unique sequence of 48 characters. The recovery key is generated when creating the BitLocker volume, it can be printed (and stored in a safe place, for example, in a safe), saved to a text file on a local drive (this is not recommended, because if this disk is damaged, you won’t be able to decrypt your data) or on external drive, or saved to your online Microsoft account.
BitLocker recovery key can be found in your account on the Microsoft website. Follow the link https://onedrive.live.com/recoverykey.
If you don’t have access to the BitLocker recovery key, then you won’t be able to access your encrypted data. Because BitLocker is designed to protect your files from other users.
A few nuances regarding the recovery of data from the BitLocker drive. Data needs to be restored to a separate disk with at least the same size as the encrypted one. During the recovery all the contents of this disk will be deleted and replaced with the decrypted data from the BitLocker volume. In our example, the disk F: (2 GB in size) is a USB stick with the contents encrypted using BitLocker, which is not opened due some reason. To recover the data, we mounted an additional external hard disk Data (G:) with the size of 10 GB.
How to unlock a BitLocker encrypted drive in Windows?
The simplest situation is when you need to unlock an BitLocker encrypted drive from Windows. You probably have an external drive or USB flash drive protected with BitLocker that doesn’t open, or you want to open an encrypted drive on another computer.
Connect the drive to your computer and go to the Control Panel -> System and Security -> BitLocker Drive Encryption (available in Professional and higher Windows editions). In the list of disks, select the BitLocker encrypted disk and click Unlock Drive.
Depending on the security method, specify the password, PIN recovery key and connect the smart card to unlock the drive. If you don’t know the password, but the recovery key has been saved, select Advanced settings -> Enter recovery key.
If you have multiple recovery keys, you can determine the recovery key you need using the identifier that is displayed in the window. If you specify the correct key, the disk is unlocked and you can access the data on it.
How to unlock a BitLocker drive where Windows is installed?
Consider a case where your system drive (where Windows is installed) is encrypted using BitLocker and for some reason your Windows doesn’t boot correctly (blue screen of death, hangs on boot, incorrect updates, etc.).
Try to run the Windows Recovery Environment (it will automatically start if Windows fails to boot 3 times in a row). If WinRE is not working, you can boot from the Windows 10 installation disk, the MsDaRT 10 recovery image, or another bootable disk. To tun the command prompt, select Troubleshoot -> Advanced options -> Command Prompt, or press Shift + F10.
Check the status of all the disks on the computer using the command line (this is how you identify the Bitlocker encrypted drive):
The result of the command for one (or several) of the disks should contain the following text: “BitLocker Drive Encryption: Volume D”. So you have disk D encrypted.
Unlock it by running the command:
manage-bde -unlock D: -pw
The command will ask you to enter your BitLocker password:
Enter the password to unlock this volume:
If the password is correct, a message will appear:
The password successfully unlocked volume D:.
Your disk is decrypted and you can proceed to restore the OS.
If you want to completely disable the BitLocker drive protection, run:
manage-bde -protectors -disable D:
Restart the computer. Now the Windows boot drive is not encrypted.
Data recovery using the BitLocker password
First of all, try to restore your data using this method (it works in Windows 10, 8.1 / Server 2012 /R2/2016 or higher):
- Run the command prompt as an administrator;
- Run the following command:
repair-bde F: G: -pw –Force, where F: is a disk with the BitLocker data, and G: is a disk to extract the decrypted data to;
- While executing the command, you’ll have to enter the BitLocker password (the one a user specifies in the Windows GUI to access the encrypted volume).
Decrypt the volume using a Bitlocker recovery key
To decrypt data on a damaged volume encrypted with Bitlocker, you will need a recovery key or system boot key (if the system partition is encrypted).
Run the data recovery using this key:
If BitLocker is used to encrypt the Windows system partition and a special boot key on the USB flash drive is used to boot the system, you can decrypt the volume this way:
repair-bde F: G: -rk I:\2F538474-923D-4330-4549-61C32BA53345.BEK –Force
where 2F538474-923D-4330-4549-61C32BA53345.BEK is a key to run the Bitlocker Drive Encryption on the USB flash drive I: (by default, this file is hidden).
After the data recovery and decryption are over, you have to check the disk to which the volume contents has been extracted prior to opening it. To do it, run the following command and wait till the process is complete:
Chkdsk G: /f
How to access a BitLocker encrypted drive in Linux?
You can open a BitLocker encrypted disk in Linux. To do this, you need the DisLocker utility and the BitLocker recovery key.
Some distributions (for example, Ubuntu) already have a dislocker utility. If the utility is not installed, download and compile it manually:
tar -xvjf dislocker.tar.gz
The INSTALL.TXT file indicates that you need to install the libfuse-dev package:
sudo apt-get install libfuse-dev
Now compile the package:
cd src/make make install
Go to the mnt directory and create two directories (for the encrypted and decrypted partition):
mkdir Encr-partmkdir Decr-part
Find the encrypted partition (fdisk –l command) and decrypt it using the recovery key in the second directory:
dislocker -r -V /dev/sdb1 -p your-bitlocker-recovery-key /mnt/Encr-part
In this example, we use the DisLocker utility in FUSE mode (Filesystem in Userspace), which allows users to create their own file systems without privileges. In FUSE mode, only the block that the system accesses (“on the fly”) is decrypted. At the same time, data access time increases, but this mode is much safer.
Mount the partition:
mount -o loop Driveq/dislocker-file /mnt/Decr-part
You should now see all the files on the encrypted partition.