How to recover a BitLocker drive
PLEASE USE CAUTION!
Incorrectly following this procedure could permanently destroy data.
Suddenly, you see a message stating that the key to open a BitLocker drive is invalid. You call your support person, the key is retrieved from escrow in Active Directory, but that key does not work. What's happening to me!?
It is not that the key just stopped working. It is usually the case that there is some physical damage to the drive... bad sectors and such.
Here is the process to recover the data:
repair-bde <InputVolume> <OutputVolumeorImage> –rp "KEY"
Let's assume you have an external USB attached disk that will not open with the BitLocker key.
- Obtain another disk that is the same size or larger than the damaged disk. We will call this the Target disk. Please note that any data on the Target disk will be overwritten by this process.
- Connect the Target disk to a computer. Note the drive letter for this disk. For this example we will call it the Y: drive.
- Connect the Damaged disk to the same computer. Note the drive letter for this disk. For this example, we will call it the Z: drive.
- Recover the key from Active Directory for the Damaged disk. We will use 111111-222222-333333-444444-555555-666666-777777-888888 for our example.
- Our recovery command will then be
repair-bde Z: Y: -rp 111111-222222-333333-444444-555555-666666-777777-888888, where Z: is our Damaged disk and Y: is our Target disk. The command will read each block of data from the Damaged disk, decrypt it using the recovery key and write the data to the Target disk. WARNING: Don't reverse the volumes! If you have any doubt, stop and call IS for assistance!
- Wait about 20 hours...
- After recovery is complete, you will be instructed to run a check disk on the target disk. In this example, we would run
chkdsk Y: /f
More information is available from Microsoft: http://technet.microsoft.com/en-us/library/ff829851.aspx