Restor mit Bitlocker
Hallo zusammen,
ich habe mein System (C) und meine Daten (D) mit Bitlocker verschlüsselt.
Ebenso externe Festplatten, die ich bei Benutzung mit einem Passwort entschlüssele.
Fragen:
1. Kann ich restoren von D, wenn mein System korrupt ist, bzw. was ist dazu erforderlich?
Bitlocker-Schlüssel ist extern verfügbar.
2. Wie ist das bei einem Restore von ext. Festplatten, die entschlüsselt werden müssen mit einem Passwort?
Bitlocker-Schlüssel ist extern verfügbar.
Mit der Bitte um Unterstützung und mit besten Grüßen,
Willy
Hello Steve,
Thank you for your support.
We've had a long conversation because of the PE Builder script. That was a long time ago and back then we had to adapt a lot, do you still know?
Unfortunately, I am no longer in the subject, so the question:
Where and where do I need to enter the password to decrypt the external hard drives?
Best regards,
Willy
Hello Willy,
Once you are booted into the MVP Custom PE rescue media, you would need to open a Command prompt window then use the manage-bde command with the appropriate command switch to unlock your encrypted drive.
The last time I played with this (back in 2018) I included a small batch command file in my D:\MVP_ATIPEBuilder_v186\Extra\x64 folder to do the unlocking when it was run.
BitLockerUnlock.bat
rem Unlock BitLocker protected drive from WinPE
manage-bde -unlock d: -rk BitLockerRecoveryKey.txtrem manage-bde -unlock d: -rp 646635-114961-231099-277860-386144-683056-530211-438922
If using manage-bde -unlock d: -rk then you need to provide a text file containing the unlock key to be used, otherwise if using -rp you can put the full password string directly into the bat file.
You would need to check what actual drive letter the locked drive has when in the WinPE boot environment, as this is likely to be different to the letter used when in Windows.
Hello Steve,
so that there is no misunderstanding, here is the hint that it is only about the external hard drives, which are decrypted with a password (not with the long key). So when I connect these hard drives, I can only open them with the password. That's what I'm all about.
Otherwise I have a working USB stick with PE Builder script and the Bitlocker key from C:.
We both screwed around on it for a long time and since then I haven't tested the emergency.
For security reasons, I also created system images with Windows 10 on-board media.
Willy, see the help text for manage-bde -unlock -? which shows:
C:\WINDOWS\system32>manage-bde -unlock -?
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
manage-bde -unlock Volume
{[{-RecoveryPassword| -rp} NumericalPassword] |
[{-RecoveryKey|-rk} PathToExternalKeyFile]}
[{-Certificate|-cert} {-cf PathToCertificateFile|
-ct CertificateThumbprint} {-pin}]
[{-Password|-pw}]
[{-ADAccountOrGroup|-sid} [{SID|domain\user|domain\group}]
[{-ComputerName|-cn} ComputerName]
[{-?|/?}] [{-Help|-h}]
Description:
Allows access to BitLocker-encrypted data with a recovery password,
recovery key, certificate, or password.
Parameter List:
Volume A drive letter followed by a colon, a volume GUID path or
a mounted volume. Example: "C:",
\\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or
"C:\MountVolume"
-RecoveryPassword or -rp
Provide a recovery password to unlock the volume.
-RecoveryKey or -rk
Provide an external key file to unlock the volume.
-Certificate or -cert
Query the local user certificate store for a BitLocker
certificate to unlock the volume.
-Password or -pw
Prompt for a password to unlock the volume.
-ADAccountOrGroup or -sid
Attempt to unlock the volume using a SID-based Identity
protector.
-ComputerName or -cn
Runs on another computer. Examples: "ComputerX", "127.0.0.1"
-? or /? Displays brief help. Example: "-ParameterSet -?"
-Help or -h Displays complete help. Example: "-ParameterSet -h"
Examples:
manage-bde -unlock -?
manage-bde -unlock e: -RecoveryPassword ...
manage-bde -unlock e: -RecoveryKey "f:\File Folder\Filename"
manage-bde -unlock e: -Certificate -cf "c:\File Folder\Filename.cer"
manage-bde -unlock e: -pw
manage-bde -unlock e: -sid
C:\WINDOWS\system32>You would need to use the -pw switch for the command.
Dear Steve
Thank you very much for your valuable support!
Unfortunately, I urgently need to take care of another construction site over the next few days. I'll come back after that.
Have a nice weekend.
Best regards,
Willy
Edit:
So, here I am again.
I was able to open the external drive with the password (not the Bitlocker key), from the running system.
But what if my system is corrupt and can't start? How can I open the drive?
Best regards,
wisch
Willy, if your system was corrupt, then you would need to boot using the MVP Custom WinPE rescue media with BitLocker support included, then you can use the
manage-bde -unlock e: -pw
command from a command prompt in the WinPE environment to do the unlocking of the encrypted drive and allow access to your backup image needed for recovery.
Hello Steve,
We did something together at the Custom WinPE-based Media Builder in December 2018. Is this tool still like 2 years ago, or is it updated?
On my restore stick from this time there is a *.bat with which I can open C: with the Bitlocker. Should I also copy the command "manage-bde -unlock e: -pw" to the *.bat?
Best wishes
Willy
Willy, the current version of the MVP Custom PE builder tool is available via the Community Tools page.
I have just done some basic testing just to refresh myself about this scenario!
First, I found an older 250GB HDD and reinitialised it to remove all old data, then setup BitLocker encryption on that drive using a password.
I rebuilt my own Custom WinPE rescue media with BitLocker then booted from this along with the encrypted drive connected.
To identify the encrypted drive, I opened a Command prompt window and used manage-bde -status which showed the drive was using drive letter H:
I was then able to unlock the drive using manage-bde -unlock H: -pw my-unlock-password
All the above was copied to a text document in Notepad running in the rescue media.
X:\Windows\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[Data Volume]
Size: 200.83 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Volume H: [Label Unknown]
[Data Volume]
Size: Unknown GB
BitLocker Version: 2.0
Conversion Status: Unknown
Percentage Encrypted: Unknown%
Encryption Method: AES 128
Protection Status: Unknown
Lock Status: Locked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
Password
Numerical Password
X:\Windows\system32>manage-bde -unlock H: -pw
BitLocker Drive Encryption: Configuration Tool version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Enter the password to unlock this volume:
The password successfully unlocked volume H:.
X:\Windows\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[Data Volume]
Size: 200.83 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Volume H: [Seagate250gb]
[Data Volume]
Size: 232.88 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
Password
Numerical Password
X:\Windows\system32>Hello Steve,
ok, understood. Can't I copy the "manage-bde -status" and "manage-bde -unlock H: -pw" commands into the existing BitLockerUnlock.bat and then stop in between with rem?
Best regards,
Willy
Willy, you can add the commands to your batch command file but you will need to use 'pause' not rem if you want the script to stop and wait for you to press a key to continue.
Also, until you run the manage-bde -status, you may not know what your encrypted drive letter is? It was H: for me due to having other drives present that took the earlier drive letters.
You could use the following batch commands:
@ECHO OFF manage-bde -status pause "Press any key to continue after identifying the BitLocker drive letter" SET /P BLdrive="Enter BitLocker encrypted drive letter to unlock [D:] " manage-bde -unlock %BLdrive% -pw pause "Check that the previous command was successful"
This is working for me when tested using a command prompt (in Windows) with my encrypted drive still locked.
Hello Steve,
could you please check this batch again? After the drive letter (for me V:), I only move on with return.
Should I the commands to unlock C: copy before or after these commands?
Edit:
@ ECHO OFF
manage-bde -status
pause "Press any key to continue after identifying the BitLocker drive letter"
SET /P BLdrive =V:
manage-bde -unlock V: -pw
pause "Check that the previous command was successful"
Best regards,
Willy
Willy, if you have multiple encrypted drives that need to be unlocked, then you would need to repeat the unlock command for each locked drive. This is where my version of the batch command file can be run as many times as is needed, and give the next locked drive letter and password each time it is used.
Hello Steve,
ok, I'm going to do a test, but I've got a bit of a stomach ache in front of it!
Am I on the safe side if - if something goes wrong - I have a system image created with on-board means of Windoes 10?
Best regards,
Willy
Willy, for the purpose of doing any tests, you just need to boot your rescue media and prove that you can unlock any of your encrypted drives, you don't need to make any changes to the drives or do an actual recovery etc.
The key point here is to show that you could unlock the BitLocker protection and be able to access your backup archive files on the unlocked drive.
Hello Steve,
ok, I can unlock C: and an external drive. Thank you very much :-)
I created the USB stick (WinPE-based media) for recovery about 2 years ago. And now I'm working with version 2021. Do you think I should recreate the stick?
One more thing:
I have a screen resolution of 3840 x 2160. As a result, the view on my screen with the WinPE-based Media Builder is extremely small. Do you have an idea how I can improve the appearance of True Image?
Best regards,
Willy
Willy, if you are creating backup images using ATI 2021 then your rescue media needs to be from the same version in order to be able to correctly recognise and recovery those images. ATI is backwards compatible only, it is not tested or verified to be forwards compatible, and versions prior to ATI 2020 do not recognise .tibx files as being valid!
For rescue media, I always leave this to use the default VGA screen resolution regardless of the capability of the PC where I am using it. The rescue media does not need to be Ultra High Definition for the purpose it is being used for.
Hello Steve,
I tried to create a new and up-to-date rescue media, according to your script.
However, it always breaks off with "System scan....."
Best regards,
Willy
Please create your new recovery media using the Acronis media builder and select the "Simple" option. That will give you a WinRE based media that will support BitLocker. It will also make True Image work with drives that you unlock using manage-bde.exe. The MVP Tool version 18.6 will not work because True Image will not recognize that the BitLocker drives have been unlocked.
Hello Mustang,
I did this, but now I'm missing some tools, like the file explorer.
What do you propose?
Best regards,
Willy
Hi Paul, I have tested both version 18.6 and 19.0 with ATI 2021 and BitLocker support and both have worked just fine for unlocking my encrypted drive and allowing a backup to be made using the unlocked drive, so am not seeing the problem where ATI didn't recognise that the drive was unlocked.
Willy, can you share the log from the MVP tool for the problem you have seen when using it? On my system, the logs are in D:\MVP_ATIPEBuilder_v186\Logs as I have the tool folder in the root of my D: drive.
Hello Steve,
I can't find a record of trying to create a rescue media using your MVP script.
I can only tell you that, the script breaks off quickly when I get there "System scan....."
I could work with Mustang's proposal if I had the file explorer available. Then I could start the batch files that I copied to the USB stick to decrypt C: and the external hard drive, and then run a restore.
Best regards,
Willy
Willy, to have a file explorer available, you need to download and use the MVP Custom PE Builder that is available from the Acronis Community Tools page. This is a zip file that should be extracted to your local drive then the MVP_ATIPEBuilder186.exe launched using 'Run as Administrator'.
Hello Steve,
yes, I did that, but your script breaks down, as I've already written.
Best regards,
Willy
Steve, with the USB stick we built 2 years ago with your script, I have everything I need, unfortunately an old version of ATI.
wisch wrote:Hello Steve,
yes, I did that, but your script breaks down, as I've already written.
Best regards,
Willy
Willy, if you are running the MVP_ATIPEBuilder186.exe application and it gets as far as scanning for installed Acronis applications, then there should be a log text file in the Logs folder of the tool.
Hello Steve,
hello Mustang,
I have just received a visit over the weekend. Can we continue on Monday?
I politely ask for your understanding.
Best regards,
Willy
No problem Willy, have a great weekend!
wisch,
Make sure you are not running the MVP Tool script from any User area such as a Download folder. It should be run from the root of the C: drive for the greatest chance of success.
The A43 file explorer is included with the Acronis WinRE media. To access it you need to close the TI GUI and enter the following lines in the command window:
cd \Program Files\Acronis\TrueImageHome\A43
A43.exe
Then to open TI enter the following lines:
CD \Program Files\Acronis\TrueImageHome
TrueImage.exe
Steve,
I was under the assumption that the volsnap upper filter was needed to make TI work with BitLocker. That change was added to version 19.0. I'll test again with version 18.6 using the latest version of TI 2021 to see what happens with backups and restores.
Good news for my tests of TI 2021 build 32,010 backup and restore using MVP Tool version 18.6. Both backup and restore were successful with BitLocker unlocked using manage-bed.exe. That was a pleasant surprise. Acronis has made a change to the recovery version of TI that I didn't know about.
Thanks for confirming the findings Paul that unlocking BitLocker drives in the rescue media is working correctly now with ATI 2021 #32010.
Hello, you both,
my visit has now said goodbye.
I have now started your script from the root to C:. But it always breaks off in the same place. Is it possible to insert the file explorer into the standard Rescue Media Builder to run the batches for unlocking Bitlocker drives if I can't get on with the script?
Best regards,
Willy
Willy, can you check again for any logs stored in the logs folder of the MVP tool please?
Do you have any other Acronis applications installed as well as having ATI 2021?
Are you running the MVP tool using 'Run as Administrator' to launch the .exe file?
Hello Steve,
where do you want this log folder to be? And does it even exist if the script always breaks off?
ATI 2021 is installed
Of course "Run as Administrator"
Edit:
Hello Steve,
the script is running!!!!!
I chose 1 st. at the beginning, not 2.
I'll sign up after graduation.
Best regards,
Willy
Hello, you guys,
the script has run through and I no longer have to look at my screen with the magnifying glass. I could kiss your feet :-)
I have only one problem: the batch files no longer work for Bitlocker decryption.
I copied the batch files from the boot USB stick from 2018 to today's new stick.
Willy, great that the MVP script has run through successfully for you and solved the screen resolution issue.
For the BitLocker batch file, did you test the commands manually on your PC when booted from the rescue media?
Open a Command prompt window, then type in manually:
manage-bde -status (to see which drive letters are locked / showing a size of 0)
manage-bde -unlock V: -pw (using the drive letters found by the status command, then typing the password).
Rather than copying the batch file to the new stick in the way you have, you can put it in the D:\MVP_ATIPEBuilder_v186\Extra\x64 folder where it will be automatically copied to the stick when the script is used. See example of my own x64 folder.
Steve, would you be ready to test my batch files on your machine?
Willy, yes to testing your batch files but there is a problem with the File Upload feature in the forums so you would either need to copy the text of the .bat file here in the topic, or else send me a link to a cloud service where I can download the files (zipped) from, using such as OneDrive, Dropbox, Google Drive etc. You can the link in a private message if you wish.
Steve, here is the contents of the batch files:
For C:
rem Unlock BitLocker protected drive from WinPE
@ Echo Off
manage-bde -status
pause
SET / P BLdrive =C:
manage-bde -unlock C: -pw
pause
manage-bde -unlock C: -rp [Key]
pause
For external hard drives with password:
rem Unlock BitLocker protected drive from WinPE
@ Echo off
manage-bde -status
pause
SET /P BLdrive =L:
manage-bde -unlock L: -pw
pause
wisch wrote:Steve, here is the contents of the batch files:
For C:
rem Unlock BitLocker protected drive from WinPE
@ Echo Off
manage-bde -status
pause
SET / P BLdrive =C:
manage-bde -unlock C: -pw
pause
manage-bde -unlock C: -rp [Key]
pauseFor external hard drives with password:
rem Unlock BitLocker protected drive from WinPE
@ Echo off
manage-bde -status
pause
SET /P BLdrive =L:
manage-bde -unlock L: -pw
pause
Willy, you don't need to include the SET /P lines when you know what the drive letter will be, so these are redundant in the script. Also, if you are using -unlock with -pw, then you don't need to also use -unlock -rp to repeat the unlock a second time.
My own BitLocker unlock batch file just has the following and I would just run it again if I had more than one drive to unlock.
@ECHO OFF
manage-bde -status
pause "Press any key to continue after identifying the BitLocker drive letter"
SET /P BLdrive="Enter BitLocker encrypted drive letter to unlock [D:] "
manage-bde -unlock %BLdrive% -pw
pause "Check that the previous command was successful"
The SET /P line above is used to receive a drive letter entered by the user instead of hard-coding this in the script.
Steve, ok, works with external hard drive!!
What should be the commands for C: with the long key?
Updated version of my batch file to repeat the unlock if multiple drives are present.
@ECHO OFF
manage-bde -status
pause "Press any key to continue after identifying the BitLocker drive letter"
:repeat
SET /P BLdrive="Enter BitLocker encrypted drive letter to unlock [D:] "
manage-bde -unlock %BLdrive% -pw
pause "Check that the previous command was successful"
SET /P Repeat="Do you want to unlock another drive Y/N ?"
if %Repeat% == Y goto repeat
wisch wrote:Steve, ok, works with external hard drive!!
What should be the commands for C: with the long key?
Willy, does your C: drive also use a password or is it just a recovery key?
Another update for the batch file:
@ECHO OFF
manage-bde -status
pause "Press any key to continue after identifying the BitLocker drive letter"
:repeat
SET /P BLdrive="Enter BitLocker encrypted drive letter to unlock [D:] "
if %BLdrive% == C: (
manage-bde -unlock %BLdrive% -rp [key]
) else (
manage-bde -unlock %BLdrive% -pw
)
pause "Check that the previous command was successful"
SET /P Repeat="Do you want to unlock another drive?"
if %Repeat% == Y goto repeat
Steve, it works at the Windows level. And now I'm trying the USB stick.
Steve, to your question above: I mean the long recovery key with 48 characters.
Unfortunately, the batch file does not work with the Rescue medium.I took a photo and wanted to upload it, but that is not allowed, even though the file (*.jpg) is only 2.76 MB in size (?)
Willy, quick check point - did you remember to include BitLocker support in the rescue media? The batch file should work exactly the same in the WinPE environment as it does in Windows!
The File > Upload forum feature has been broken / not working for more than a week now!
Steve, yes, I recorded.
I'm making a new USB stick for safety.
Willy, have tested again with my own MVP rescue media and the batch file is working fine for me.
Steve, I need another USB stick. The keyboard layout was incorrect.