Bitlocker is the Windows encryption tool for every Windows installation or for important data carriers. We have described in detail how you can activate and set up Bitlocker under Windows 10 in our article ” Activate BitLocker encryption with Windows 10 “. You can find more Bitlocker tips and tricks at the end of this article.
However, if there should be problems with the Bitlocker data carrier , you can use the Windows own tool “Repair-BDE” . This standard Bitlocker tool is supplied with every Windows installation (including Windows Server) and allows you to repair a Bitlocker data carrier as well as decrypt it and save it on another data carrier.
Repair-BDE tries to repair or decrypt a damaged and BitLocker-encrypted volume using the recovery information provided.
WARNING: To avoid complete data loss when performing this Bitlocker Repair Tool, a replacement hard drive should be available. Uses this hot spare to store decrypted output there or to back up the contents of the damaged volume to that disk.
So that the functionality is easier to understand, first of all the complete parameter list of the Repair-BDE Tool .
Repair PDA parameters
Repair PDA parameters | Description of the Repair-BDE parameters |
---|---|
Input volume | The volume to be repaired encrypted by BitLocker. Example: “C:”, “\? Volume {26a21bda-a627-11d7-9931-806e6f6e6963}”. |
OutputVolumeOderImage | The volume to store decrypted content or the file location to create an image file of the content. Examples: “D:”, “D: imagefile.img”. WARNING: All information on this output volume will be overwritten. |
-rk or -RecoveryKey | Provide an external key to unlock the volume. Example: “F: recoveryKey.bek”. |
-rp or -RecoveryPassword | Enter a numeric password to unlock the volume. Example: “111111-222222-333333-…”. |
-pw or -Password | Enter a password to unlock the volume. |
-kp or -KeyPackage | Optional. Provide a key package to unlock the volume. Example: “F: ExportedKeyPackage” If this option is empty, the key package is automatically searched for. This option is only required if the tool requires it. |
-lf or -LogFile | Optional. Provide a path to a file that stores status information. Example: “F: log.txt”. |
-f or -Force | Optional. Using this parameter forces the volume to be unmounted even if it cannot be locked. This option is only required if the tool requires it. |
-? or /? | Displays the Repair-BDE help |
Examples of repair PDA
repair-bde C: D: -rk F: recoveryKey.bek -Force
repair-bde C: D: -rp 111111-222222- […] -lf F: log.txt
repair-bde C: D: -kp F: KeyPackage -rp 111111-222222- […] repair-bde C: D: imagefile.img -kp F: KeyPackage -rk F: recoveryKey.bek
repair-bde C: D: -pw
Execution of a Bitlocker decryption
Using an example, we would like to show you below that BDE-REPAIR works. We would like to decrypt our 64GB USB stick, which is encrypted with Bitlocker , and have an IMAGE file created for it, which also has all the data, but is no longer encrypted with Bitlocker .
We then used the following parameter:
repair-bde D: C: Windows-FAQ imagefile.img -pw
Below you can see the complete implementation of the Bitlocker decryption .
We have listed the entire text again below.
BitLocker Drive Encryption: Repair Tool, version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Enter the password to unlock the volume:
The search for BitLocker metadata will start.
The starting sectors are searched for the pointer to metadata:
The starting sectors are searched for the pointer for metadata:
The starting sectors are searched for the pointer for metadata:
100%
search for BitLocker metadata has been completed.
PROTOCOL INFORMATION: 0x0000002a
Valid metadata at offset “41943040” was found at
search level “1”.
PROTOCOL INFORMATION: 0x0000002b
repair context was created.
Decryption has started.
Decryption: 100% complete.
Decryption has been completed.
After issuing the command, the Bitlocker password must still be entered in this case . This password is not visible as you type. If you don’t want to enter the Bitlocker password , you can also transfer the Bitlocker key in a .BEK file using the “-rk” parameter .
Using this command, Repair-BDE has now decrypted the entire USB data carrier and created an image file with the name ” IMAGEFILE.IMG ” in the directory ” C: Windows-FAQ ” . This image file, which you can open with 7-Zip , for example , contains all files and folders from the former Bitlocker USB stick , but in unencrypted form.
When producing the IMG file , however, it should be noted that BDE-Repair creates this image file as large as the total storage space of the data carrier. In our case it was a 64 GB USB stick and thus the image file is 60 GB in size, even though the data contained only occupied 1 GB. This should also be taken into account when repairing a Bitlocker data carrier so that the target data carrier can in any case record the entire data of the Bitlocker source drive .
Also useful is the parameter “-lf” , which then logs all outputs in a log file .
If you are interested in further Bitlocker tips and tricks , we recommend the following articles.
– Display of the Bitlocker encryption settings with “Manage-BDE”
– No TPM can be used on this device … Use BitLocker under Hyper-V