Encryption is the process of algorithmically transforming information making it unreadable to unauthorized individuals. It is often employed to safeguard sensitive information such as credit card and bank account numbers. Plain-text data is encoded during encryption and can only be decrypted with a key.

bitlocker best practices

There are a number of encryption algorithms in use that employ either symmetric or asymmetric keys to encode and decode the data. Currently, the Advanced Encryption Standard (AES) algorithm is most often used with 128, 192 or 256-bit keys.

An encrypted hard drive offers the user protection for their data in the event that the hard drive is stolen or accessed by unauthorized users. Without the key or password, the drive and its data are inaccessible. There are many applications that provide encryption for data resident on a storage device or being transmitted across a network. One of these is Microsoft’s BitLocker.

What is BitLocker?

bitlocker encrypted driveBitLocker is a proprietary encryption program offered by Microsoft on some of its versions of the Windows operating system. It is available to users with:

  • The Ultimate and Enterprise editions of Windows Vista and Windows 7;
  • The Pro and Enterprise editions of Windows 8 and 8.1;
  • The Pro, Enterprise, and Education editions of Windows 10 installed on their computer.

It is easy to use and can encrypt your hard drive and protect against malware attacking your system’s firmware or attempting to make other unauthorized changes without a noticeable slowdown.

BitLocker System Requirements

In addition to running one of the support flavors of the Windows OS, there are some other system requirements which need to be fulfilled in order to run BitLocker. You are required to have a drive with at least two partitions as well as a special chip known as Trusted Platform Module (TPM). The TPM’s role is to run authentication checks against your system’s software, hardware, and firmware. If the TPM detects unauthorized changes to your system it will boot in restricted mode to thwart possible attackers.

bitlocker drive with tpm

bitlocker drive without tpmEven without a TPM you can use BitLocker in software mode. For more information on setting up BitLocker we suggest consulting this Microsoft support page.

BitLocker Password and Security Key

When you are setting up BitLocker there will be a point where you will need to assign a password to be used each time you start your machine. You need to select whether you intend to enter the password manually or by storing it on a USB key. Using the key method poses the risk that the USB key can be lost, leaving you unable to authenticate when booting your computer.

Choosing the method in which you store your recovery key entails selecting the type of safety you are most interested in maintaining. Saving the key to your Microsoft account will let you unlock and decrypt your files if you lose the flash drive or the paper on which it was printed. It also poses the risk of someone accessing your Microsoft account and gaining access to the key and thereby your hard drive. We leave it up to you to determine which risk you are more comfortable taking.

What if You Have Forgotten Your BitLocker Password

Let’s say you have a computer which you have protected with BitLocker that has not been used for some time. You go to start it up and cannot remember the password. This is definitely problematic. There is some critical data stored on the drive that you absolutely have to be able to access. What are your options if you cannot unlock your drive normally?


bitlocker change password Attempt access with your usual passwords

Despite warnings to create unique, strong passwords made up of a combination of alphanumeric and special characters, many users still use simple words or phrases to protect their data and user accounts. Try to relax and remember passwords that you may have used in the past. With some luck, you may stumble onto the correct password and gain entry to your hard drive.


BitLocker Recovery Perform a BitLocker recovery

In the event that you cannot access a BitLocker protected drive, you may be called upon to perform a BitLocker recovery. This can be done in a variety of ways.

  • The user can type in the 48-digit recovery password.
  • A domain administrator can recover the password from Active Directory Domain Services if that is where the password was stored.
  • Employ a data recovery agent to unlock the drive. The drive must be mounted as a data drive in order for the agent to unlock it.

Recovery is done through the command line by using the following procedure depending on if you are recovering a local or remote machine.

Forcing recovery on a local machine:

  1. Click the Start button, type CMD in the Search box.
  2. Right-click cmd.exe, and then click Run as administrator.
  3. At the command prompt, type the following command and then press ENTER:

    manage-bde -forcerecovery <Volume>

To force recovery for a remote computer:

  1. On the Start screen, type cmd.exe , and then click Run as administrator.
  2. At the command prompt, type the following command and then press ENTER:

    manage-bde -ComputerName <ComputerName> -forcerecovery <Volume>


Best BitLocker Recovery Software Employ third-party data recovery software

There are data recovery applications available that may be able to extract data from encrypted BitLocker containers. One such tool is Disk Drill for Windows. Version 4 of this app can access files in the BitLocker containers and assist in recovering data from an encrypted drive. This is a more cost-effective method of recovery than sending your disk to a data recovery service, but you will still need to unlock the BitLocker container prior to running Disk Drill.

To recover data from a BitLocker-encrypted drive using Disk Drill:

  1. Download and install Disk Drill on the computer to which the encrypted drive is connected.
    Disk Drill
    Data recovery for free
    Your Companion for Deleted Files Recovery
  2. Launch File Explorer.
  3. Right-click the encrypted drive.
  4. Select the Unlock Drive option and enter your BitLocker password.windows file explorer unlock bitlocker
  5. Launch Disk Drill and scan the encrypted drive. You can also unlock an encrypted drive directly from Disk Drill by selecting the encrypted partition and clicking the Unlock now button. Disk Drill will prompt you to enter your BitLocker password. disk drill scan encrypted partition
  6. Analyze the recovery results and select all files you want to recover.
  7. Click the Recover button and recover the selected files to a safe location.disk drill recover from bitlocker

BitLocker Recovery Service Use a Data Recovery service

In extreme cases, you may need to remove your hard drive and send it to a data recovery service where they can possibly extract the encrypted data from the device. This will necessitate a financial investment in contracting the service and in purchasing a replacement drive. This will only work if your BitLocker password is not lost, but the storage device is unresponsive. That’s when software-based methods won’t work and the recovery lab may be your best bet.

bitlocker drive encryption service


Best BitLocker Recovery Tools Using the BitLocker Repair Tool

bitlocker drive encryption administration utilitiesMicrosoft has made the BitLocker Repair Tool (Repair-bde) available, and you can use it to access data protected with BitLocker. You should use the tool if the BitLocker recovery methods described above failed to resolve the issue.

Using the Repair-bde tool, you can reconstruct critical parts of your encrypted drive to salvage recoverable data from it. In order to use the Repair-bde tool, you need to provide a valid recovery password or recovery key is used to decrypt the data. In situations when the BitLocker metadata data has become corrupt, a backup key package is also necessary.

Here’s an example of how the Repair-bde tool can be used to repair encrypted drive C and write its content to drive D using the correct 48-digit recovery password:

repair-bde C: D: -rp 111111-222222-333333-444444-555555-666666-777777-888888

The parameter -rp tells the Repair-bde tool to use the provided numerical recovery password to unlock the encrypted drive, and it can be also written as recoverypassword.

windows file explorer unlock bitlocker Use the BitLocker Encryption Options Application

If you’re struggling to access data stored on your BitLocker-encrypted work computer because you don’t remember your PIN or password, then you should look for the recovery key ID in the BitLocker Encryption Options application.

To access this application to retrieve your recovery key:

  1. Open the classic Control Panel.
  2. Select System and Security.
  3. Click BitLocker Drive Encryption.bitlocker drive encryption
  4. Select Unlock Drive.
  5. Click I cannot remember my password.

The BitLocker Encryption Options application should display your recovery key ID, and you can give it to your administrator to unlock your BitLocker-encrypted device.


Resetting Recovery Passwords

The manage-bde command can be used to remove and assign new recovery passwords. You will still need to unlock the BitLocker container. Follow these steps to reset a recovery password.

  1. Remove the previous recovery password with this command:

    manage-bde -protectors -delete <Volume> -type RecoveryPassword

  2. Add the new recovery password:

    manage-bde -protectors –add <Volume> -RecoveryPassword

  3. Get the id of the new recovery password and copy it down for the next step:

    manage-bde -protectors -get <Volume> -Type RecoveryPassword

  4. Backup the new recovery password to Active Directory Domain Services:

    manage-bde -protectors -adbackup <Volume> -id <{EXAMPLE6-5507-4924-AA9E-AFB2EB003692}>

Conclusion

Encrypting any data or device is the best method to employ to protect sensitive information. It can pose a problem if the password used to enact the encryption cannot be recalled when needed. While you certainly don’t want the password available to any prying eyes, you do need to ! ensure that you have a copy in a safe place or are using a password that you will not forget.

FAQ

David Morelo

David Morelo is a professional content writer in the technology niche, covering everything from consumer products to emerging technologies and their cross-industry application. His interest in technology started at an ...

Read full bio
Avatar
Approved by
Brett Johnson

This article has been approved by Brett Johnson, Data Recovery Engineer at ACE Data Recovery. Brett has a Bachelor's Degree in Computer Systems and Network, 12 years of experience.