Repair or decrypt Bitlocker with the Bitlocker repair tool “Repair-BDE”

Repair or decrypt Bitlocker with the Bitlocker repair tool Repair-BDE

Bitlocker is the Windows encryption tool for every Windows installation or for important data carriers. We have described in detail how you can activate and set up Bitlocker under Windows 10 in our article ” Activate BitLocker encryption with Windows 10 “. You can find more Bitlocker tips and tricks at the end of this article.

However, if there should be problems with the Bitlocker data carrier , you can use the Windows own tool “Repair-BDE” . This standard Bitlocker tool is supplied with every Windows installation (including Windows Server) and allows you to repair a Bitlocker data carrier as well as decrypt it and save it on another data carrier.

Repair-BDE tries to repair or decrypt a damaged and BitLocker-encrypted volume using the recovery information provided.

WARNING: To avoid complete data loss when performing this Bitlocker Repair Tool, a replacement hard drive should be available. Uses this hot spare to store decrypted output there or to back up the contents of the damaged volume to that disk.

So that the functionality is easier to understand, first of all the complete parameter list of the Repair-BDE Tool .

Repair PDA parameters

Repair PDA parameters Description of the Repair-BDE parameters
Input volume The volume to be repaired encrypted by BitLocker.
Example: “C:”,
“\? Volume {26a21bda-a627-11d7-9931-806e6f6e6963}”.
OutputVolumeOderImage The volume to store decrypted content
or the file location to create an image file of
the content.
Examples: “D:”, “D: imagefile.img”. WARNING: All information on this output volume
will be overwritten.
-rk or -RecoveryKey Provide an external key to unlock the
volume.
Example: “F: recoveryKey.bek”.
-rp or -RecoveryPassword Enter a numeric password to unlock the
volume.
Example: “111111-222222-333333-…”.
-pw or -Password Enter a password to unlock the volume.
-kp or -KeyPackage Optional. Provide a key package to unlock the
volume.
Example: “F: ExportedKeyPackage”
If this option is empty, the key package is automatically
searched for. This option is only required if the
tool requires it.
-lf or -LogFile Optional. Provide a path to a file that
stores status information.
Example: “F: log.txt”.
-f or -Force Optional. Using this parameter
forces the volume to be unmounted
even if it cannot be locked. This option is only
required if the tool requires it.
-? or /? Displays the Repair-BDE help

Examples of repair PDA

repair-bde C: D: -rk F: recoveryKey.bek -Force
repair-bde C: D: -rp 111111-222222- […] -lf F: log.txt
repair-bde C: D: -kp F: KeyPackage -rp 111111-222222- […] repair-bde C: D: imagefile.img -kp F: KeyPackage -rk F: recoveryKey.bek
repair-bde C: D: -pw

Execution of a Bitlocker decryption

Using an example, we would like to show you below that BDE-REPAIR works. We would like to decrypt our 64GB USB stick, which is encrypted with Bitlocker , and have an IMAGE file created for it, which also has all the data, but is no longer encrypted with Bitlocker .

We then used the following parameter:

repair-bde D: C: Windows-FAQ imagefile.img -pw

Below you can see the complete implementation of the Bitlocker decryption .

Enable BitLocker encryption on Windows 10

We have listed the entire text again below.

BitLocker Drive Encryption: Repair Tool, version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Enter the password to unlock the volume:
The search for BitLocker metadata will start.

The starting sectors are searched for the pointer to metadata:
The starting sectors are searched for the pointer for metadata:
The starting sectors are searched for the pointer for metadata:
100%
search for BitLocker metadata has been completed.
PROTOCOL INFORMATION: 0x0000002a
Valid metadata at offset “41943040” was found at
search level “1”.
PROTOCOL INFORMATION: 0x0000002b
repair context was created.
Decryption has started.
Decryption: 100% complete.
Decryption has been completed.

After issuing the command, the Bitlocker password must still be entered in this case . This password is not visible as you type. If you don’t want to enter the Bitlocker password , you can also transfer the Bitlocker key in a .BEK file using the “-rk” parameter .

Using this command, Repair-BDE has now decrypted the entire USB data carrier and created an image file with the name ” IMAGEFILE.IMG ” in the directory ” C: Windows-FAQ ” . This image file, which you can open with 7-Zip , for example , contains all files and folders from the former Bitlocker USB stick , but in unencrypted form.

When producing the IMG file , however, it should be noted that BDE-Repair creates this image file as large as the total storage space of the data carrier. In our case it was a 64 GB USB stick and thus the image file is 60 GB in size, even though the data contained only occupied 1 GB. This should also be taken into account when repairing a Bitlocker data carrier so that the target data carrier can in any case record the entire data of the Bitlocker source drive .

Also useful is the parameter “-lf” , which then logs all outputs in a log file .

If you are interested in further Bitlocker tips and tricks , we recommend the following articles.

– Display of the Bitlocker encryption settings with “Manage-BDE”
– No TPM can be used on this device … Use BitLocker under Hyper-V

administrator