Re-enable BitLocker Auto-Unlock after System Volume Restore

Mark Berry August 11, 2010

Today I did a disaster recovery test on my Windows Server 2008 R2 Hyper-V host. I used Windows Backup to do a bare metal restore of only the system volume. As expected, after the restore, the system volume was no longer encrypted. But even after re-encrypting the system volume, I was unable to set the data volumes to automatically unlock. Instead, it displayed “Data error (cyclic redundancy check).”

I decided to try the command line. Here I found that manage-bde –status listed two volumes out of about eight before aborting with the same error:

Bitlocker autounlock 1

When I saw that error code 0×80070017 can mean that a file is missing or corrupt, it occurred to me that the old BitLocker auto-unlock keys are still on the restored system volume, but they cannot be accessed. So I tried manage-bde -autounlock -clearallkeys C:.

 Bitlocker autounlock 2

After this, manage-bde -status correctly lists all volumes, but manage-bde -autounlock -enable S: fails with the message:

ERROR: An error occurred (code 0×80310054):
The auto-unlock master key was not available from the operating system drive.

Bitlocker autounlock 3

Maybe the master key will be re-created by a reboot? Sure enough, after rebooting and manually unlocking the drives again, I was finally able to enable auto-unlock on the encrypted data volumes.

System Volume Restore with BitLocker Data Volumes

Based on that experience, here is what I think should work next time for system volume restore:

  1. Do bare metal restore of system volume C:. The volume is restored unencrypted.
  2. Boot into OS and log in.
  3. From an administrative command prompt, run manage-bde -autounlock -clearallkeys C:.
  4. In the Control Panel, go to BitLocker Drive Encryption and enable Bitlocker on C:. Leave the encrypted data volumes in their locked state for now.
  5. Reboot to activate BitLocker. This apparently creates the auto-unlock master key on the system volume.
  6. Log in. In the Control Panel, go to BitLocker Drive Encryption and manually unlock encrypted data volumes.
  7. For each encrypted data volume, click on Manage BitLocker and set Automatically unlock this drive on this computer.

Update 02/17/2011:  You may want to refer to the Manage-bde Parameter Reference on TechNet. Based on comments from Stephan (see below), a slightly modified procedure to try next time:

  1. Do bare metal restore of system volume C:. The volume is restored unencrypted.
  2. Boot into OS and log in.
  3. In the Control Panel, go to BitLocker Drive Encryption and enable Bitlocker on C:. Leave the encrypted data volumes in their locked state for now.
  4. Reboot to activate Bitlocker. This apparently creates the auto-unlock master key on the system volume. Log in.
  5. From an administrative command prompt, run manage-bde -autounlock -clearallkeys C:.
  6. In the Control Panel, go to BitLocker Drive Encryption and manually unlock encrypted data volumes.
  7. From a command prompt, check for and delete old External Keys on data volumes (I haven’t tested this!):
    manage-bde -protectors -get S:
    manage-bde -protectors -delete S: -type ExternalKey
  8. Back in the Control Panel, for each encrypted data volume, click on Manage BitLocker and set Automatically unlock this drive on this computer.
Tags:

This entry was posted on Wednesday, August 11th, 2010 at 5:19 pm and is filed under IT Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Comments

  1. Stephan   |  December 23, 2010 at 5:16 am

    Mark,

    geart article and you really safed us a lot of work. I couldn’t find any information on the Microsoft web site how to deal with this CRC error and already thought I have to re-create all the encrypted volumes.

    However, you might want to add that BitLocker will add a new external key that is required for autounlock feature. The old one can be deleted, e.g. before you re-enable autounlock:

    manage-bde -protectors -delete S: -type ExternalKey

    Chers,
    Stephan

  2. Mark Berry   |  December 23, 2010 at 8:31 am

    So “manage-bde -autounlock -clearallkeys C:.” doesn’t delete the old keys stored on the C: drive? I’m not familiar with the concept of “external keys” in Bitlocker.

  3. ML   |  January 01, 2011 at 9:29 pm

    Amazing, thank you. I came across this error after restoring the OS volume with Acronis True Image and then re-encrypting it. My second encrypted /storage/ volume would not auto-unlock and through a CRC error.

  4. logos   |  January 07, 2011 at 5:33 am

    thanks, posted the solution on TechNet ;)
    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/db7030e5-4c37-46dc-b0ea-492f3e1ef76f

  5. Stephan   |  February 17, 2011 at 6:13 am

    Great work. You safed us a lot of work. Just one note: you have to enable BitLocker on the OS volume before you can clear the auto unlock keys and from my point of view it makes sense to delete the old External Key from the data volume before you enable the auto unlock featre again.

  6. Mark Berry   |  February 17, 2011 at 9:45 am

    Stephan, glad you found it useful. I’ve posted a modified procedure based on your comments.

Leave a Reply





Notify me of followup comments via e-mail. You can also subscribe without commenting.