Re-enable BitLocker Auto-Unlock after System Volume Restore

Mark Berry August 11, 2010

Today I did a disaster recovery test on my Windows Server 2008 R2 Hyper-V host. I used Windows Backup to do a bare metal restore of only the system volume. As expected, after the restore, the system volume was no longer encrypted. But even after re-encrypting the system volume, I was unable to set the data volumes to automatically unlock. Instead, it displayed “Data error (cyclic redundancy check).”

I decided to try the command line. Here I found that manage-bde –status listed two volumes out of about eight before aborting with the same error:

Bitlocker autounlock 1

When I saw that error code 0x80070017 can mean that a file is missing or corrupt, it occurred to me that the old BitLocker auto-unlock keys are still on the restored system volume, but they cannot be accessed. So I tried manage-bde -autounlock -clearallkeys C:.

 Bitlocker autounlock 2

After this, manage-bde -status correctly lists all volumes, but manage-bde -autounlock -enable S: fails with the message:

ERROR: An error occurred (code 0x80310054):
The auto-unlock master key was not available from the operating system drive.

Bitlocker autounlock 3

Maybe the master key will be re-created by a reboot? Sure enough, after rebooting and manually unlocking the drives again, I was finally able to enable auto-unlock on the encrypted data volumes.

System Volume Restore with BitLocker Data Volumes

Based on that experience, here is what I think should work next time for system volume restore:

  1. Do bare metal restore of system volume C:. The volume is restored unencrypted.
  2. Boot into OS and log in.
  3. From an administrative command prompt, run manage-bde -autounlock -clearallkeys C:.
  4. In the Control Panel, go to BitLocker Drive Encryption and enable Bitlocker on C:. Leave the encrypted data volumes in their locked state for now.
  5. Reboot to activate BitLocker. This apparently creates the auto-unlock master key on the system volume.
  6. Log in. In the Control Panel, go to BitLocker Drive Encryption and manually unlock encrypted data volumes.
  7. For each encrypted data volume, click on Manage BitLocker and set Automatically unlock this drive on this computer.

Update 02/17/2011:  You may want to refer to the Manage-bde Parameter Reference on TechNet. Based on comments from Stephan (see below), a slightly modified procedure to try next time:

  1. Do bare metal restore of system volume C:. The volume is restored unencrypted.
  2. Boot into OS and log in.
  3. In the Control Panel, go to BitLocker Drive Encryption and enable Bitlocker on C:. Leave the encrypted data volumes in their locked state for now.
  4. Reboot to activate Bitlocker. This apparently creates the auto-unlock master key on the system volume. Log in.
  5. From an administrative command prompt, run manage-bde -autounlock -clearallkeys C:.
  6. In the Control Panel, go to BitLocker Drive Encryption and manually unlock encrypted data volumes.
  7. From a command prompt, check for and delete old External Keys on data volumes (I haven’t tested this!):
    manage-bde -protectors -get S:
    manage-bde -protectors -delete S: -type ExternalKey
  8. Back in the Control Panel, for each encrypted data volume, click on Manage BitLocker and set Automatically unlock this drive on this computer.


13 Comments

  1. Stephan   |  December 23, 2010 at 5:16 am

    Mark,

    geart article and you really safed us a lot of work. I couldn’t find any information on the Microsoft web site how to deal with this CRC error and already thought I have to re-create all the encrypted volumes.

    However, you might want to add that BitLocker will add a new external key that is required for autounlock feature. The old one can be deleted, e.g. before you re-enable autounlock:

    manage-bde -protectors -delete S: -type ExternalKey

    Chers,
    Stephan

  2. Mark Berry   |  December 23, 2010 at 8:31 am

    So “manage-bde -autounlock -clearallkeys C:.” doesn’t delete the old keys stored on the C: drive? I’m not familiar with the concept of “external keys” in Bitlocker.

  3. ML   |  January 01, 2011 at 9:29 pm

    Amazing, thank you. I came across this error after restoring the OS volume with Acronis True Image and then re-encrypting it. My second encrypted /storage/ volume would not auto-unlock and through a CRC error.

  4. logos   |  January 07, 2011 at 5:33 am

    thanks, posted the solution on TechNet ;)
    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/db7030e5-4c37-46dc-b0ea-492f3e1ef76f

  5. Stephan   |  February 17, 2011 at 6:13 am

    Great work. You safed us a lot of work. Just one note: you have to enable BitLocker on the OS volume before you can clear the auto unlock keys and from my point of view it makes sense to delete the old External Key from the data volume before you enable the auto unlock featre again.

  6. Mark Berry   |  February 17, 2011 at 9:45 am

    Stephan, glad you found it useful. I’ve posted a modified procedure based on your comments.

  7. Frank   |  August 14, 2012 at 7:58 am

    Ever heard of this happening?
    I have an external hard drive, with two partitions, both of which I encrypted with Bitlocker.
    The other day I noticed that the USB connection for that external drive had pulled out. Upon reconnection, when trying to open the drive ( the two partitions) it asked for the bitlocker key which I entered.
    it says that the key is incorrect!!

    Of course I tried this +MANY times – still no luck. I’ve always used the same key and am stumped ( and PO’d to say the least.
    Does an encryption key reset to a default state when the hard drive is disconnected and then re-connected??

    ANY IDEAS ARE VERY WELCOME!

  8. Mark Berry   |  August 14, 2012 at 8:33 am

    Sorry Frank, I haven’t heard of that. You might try a post on the Windows 7 Security forum: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/threads.

  9. tetrabit   |  March 06, 2013 at 2:38 am

    Thank you, work for win8 x64 too.

  10. JFed   |  January 28, 2014 at 12:13 pm

    Thank you – worked for me, Win 8.1 64-bit, multiple SSD’s.

  11. Restoring a bitlocker system volume with Acronis 2014 | Thorsten on (mostly) Tech   |  March 22, 2014 at 5:14 am

    […] check”. No need to panic, the data is fine: This is a problem with the stored Bitlocker keys. Mark Berry documented the fix back in 2010. I used his updated (2/17/2011) methodology, which is henceforth no longer untested. […]

  12. JP   |  January 05, 2015 at 7:21 pm

    Removing the external key worked great on server 2012, thanks!

  13. Steve   |  September 08, 2015 at 7:00 am

    Thanks, Mark Berry – a five year old post, but still very relevant. Helped me sort out my Windows 10 system! The revised instructions worked fine for me.

Leave a Reply





*