Blog: BitLocker

I recently had a task to help a user save their BitLocker Recovery key to a flash drive, but the option to save to a flash drive was greyed out.  I tried logging on as the local administrator and several other things, but nothing worked.  Eventually, I used the “manage-bde –status” command to see what kind of protectors were on the drive.  Then, I added my own protector by using the “manage-bde –protectors –add C: -recoverykey z:”, where C: is the BitLocker system drive and Z: is the drive the USB is in.  Don’t forget: the recovery key will be saved to the USB as a hidden file.


 

I was having some problems with my laptop's Bluetooth radio turning itself off when I reboot without powering off. I found an online posting indicating resetting the BIOS to defaults would fix the problem. I went into the BIOS setup and reset it then rebooted. However, that changed the system enough to make Bitlocker to ask for the recovery key. I put in the recovery key then suspended Bitlocker on the C drive after Windows came up (as the Bitlocker message instructed). I then resumed Bitlocker and it seemed to work after another reboot. [more]

However, when I rebooted the laptop at home later that day, Bitlocker asked for the recovery key again. I found another Microsoft support entry that indicated the problem might be that the boot order was changed. That made sense because my configuration at home involved an external USB device that wasn't connected at the office.

I suspended Bitlocker then rebooted and went into the BIOS setup and made sure the first (and only in this case) boot device listed was my C drive.

After rebooting, I resumed Bitlocker protection and haven't had a problem since.


 

I’ve recently been migrating to a Windows 7 laptop using BitLocker for full disk encryption.  Many of my co-workers have extensive experience with BitLocker, but I’ve had a desktop for a couple years and before that my laptop used GuardianEdge Encryption Anywhere.  This is my first experience with BitLocker.  To access the BitLocker Manager application go to Start -> Control Panel -> System and Security -> BitLocker Drive Encryption.  That interface is pretty much limited to allowing you to turn off/on BitLocker, suspend protection, save or print a recovery key, and reset your PIN for each of your drives. [more]

I found the “manage-bde.exe” command line utility is also useful in addition to the GUI.  The “bde” in the application’s name stands for “BitLocker Disk Encryption” and knowing that makes it a easier to remember the name.  I like running “manage-bde.exe -status” because it displays more details like the conversion status, percentage encrypted, and encryption method.  The manage-bde.exe documentation can be found at http://technet.microsoft.com/en-us/library/dd875513(WS.10).aspx.

There is also two other command line tools available. Repair-bde.exe can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker.  This would be useful if your system has a hard disk failure or if Windows exits unexpectedly.   Bdehdcfg.exe is used to prepare a drive with the partitions necessary to BitLocker Drive Encryption.  In most cases you will not need this tool because the BitLocker setup includes the ability to prepare and repartition drives as required.  The documentation for these two tools can be found at http://technet.microsoft.com/en-us/library/ee706528(WS.10).aspx and http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx respectively.

A co-worker pointed out another BitLocker tip to me.  Typically, if you make any BIOS upgrades you should suspend BitLocker, do the upgrade, and then resume BitLocker.  If you forget to do these steps the PC will constantly boot into BitLocker recovery mode.  Suspending and resuming BitLocker after the BIOS upgrade appears to reset BitLocker so it boots normally.


 

While Bitlocker is encrypting your drive, the program automatically locks your entire drive except for 6GB. This is normally not a problem, but can be an issue if you are doing significant copying to the disk being encrypted. The following verbiage from a TechNet article describes this “feature” and describes how to temporarily pause the encryption in case you need to do work that requires more than 6GB on the disk. [more]

Why does it appear that most of the free space in my drive is used when BitLocker is converting the drive?

BitLocker cannot ignore free space when the drive is being encrypted because unallocated disk space commonly contains data remnants. However, it is not efficient to encrypt free space on a drive. To solve this problem, BitLocker first creates a large placeholder file that takes most of the available disk space and then writes cryptographic material to disk sectors that belong to the placeholder file. During this process, BitLocker leaves 6 GB of available space for short-term system needs. All other space, including the 6 GB of free space not occupied by the placeholder file, is encrypted. When encryption of the drive is paused or completed, the placeholder file is deleted and the amount of available free space reverts to normal. A placeholder file is used only on drives formatted by using the NTFS or exFAT file system.

If you want to reclaim this free space before encryption of the drive has completed, you can use the Manage-bde command-line tool to pause encryption. To do this, open an elevated command prompt and type the following command, replacing driveletter with the letter of the drive you want to pause encryption on:

manage-bde –pause driveletter :

When you are ready to start encrypting the drive again, type the following command:

Manage-bde –resume driveletter :


 

Several of us have noticed that when we shutdown our laptops that the OS seems to stop but the fans do not stop. This is especially harmful when you then put the laptop in a bag and later retrieve it to find it extremely hot.  It turns out that there is a problem with Windows 7 when using Bitlocker that exhibits this problem. The details can be found at http://support.microsoft.com/kb/975496.  Lenovo has published this patch on the System Update site for the T400.

This is also an issue with Windows Server 2008.


 

To use BitLocker in Vista, you had to create a separate active drive partition.  When Vista first shipped this had to be created manually, but Microsoft released a BitLocker Drive Preparation Tool later to help with the partitioning.

With Windows 7 this partition is still required but is created automatically when BitLocker is enabled.  However the Drive Preparation Tool is still supported as a command line tool, intended mostly for scripting the BitLocker setup for multiple systems.

More information is available at http://technet.microsoft.com/en-us/library/dd875534%28WS.10%29.aspx