Bitlocker enabled on the 2nd partition drive issue

Hi,

First time using bitlocker and I think I made a mistake. My OS is Windows 7. I initially had my OS partition encrypted with BitLocker and I have the key printed out. Then I enabled BitLocker on the 2nd partition - does this also change BitLocker key on the first OS partition? After the 2nd partition was encrypted, I saved the key file on the OS partition. I then rebooted the machine and the initial bitlocker key for the first partition is not working. I did not print out the 2nd partition bitlocker key, so I can not get in Windows. Could someone advise how to solve this?

Thanks a lot.
Cworker SmithAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi.

Encrypting a second partition does not change the first partition or its key, no. So it sounds weird.
When you say the "initial key", would that mean, you had to enter a key to start bitlocker? Because with win7, we cannot setup a password for bitlocked OS drives, so your key, what is it, the recovery key? This key will not change until we decrypt and re-encrypt a drive, it simply has to work.

Please look for the key identifier that is shown on the bitlocker screen you are presented with - does it match the identifier in {such brackets} that you have printed out?
0
Cworker SmithAuthor Commented:
Hi Mcknife,

Thanks for replying. Yes, I meant Bitlocker recovery key.

Hope to clarify the issue, I will list the steps how I got there:
1. I got a new laptop with the BitLocker enabled on the OS partition on the C drive. I used and restarted the laptop a few times without any Bitlocker key requirement prompt.
2. I shrunk the OS partition (C drive) to make space to create 2nd partition (D drive).
3. I rebooted the machine. The system said something like root information was changed, and it required Bitlocker recovery key.
4. I entered the Bitlocker recovery key that came with the laptop and was able to boot into Windows.
5. I installed some software and restarted the laptop a few times without Bitlocker key prompt.
6. I enabled BitLocker on the 2nd partition (D drive) - chose 'Automatically unlock this drive on this computer' for unlock option. After the 2nd partition was encrypted, I chose to save the Bitlocker recovery key file on the OS partition (C drive) - did not print out or save to active directory. I took a quick glance at the key file and noticed the Key ID is different from the one that initially came with the laptop. I was not familiar with Bitlocker, so I thought maybe different partitions use different recovery keys.
7. I rebooted the laptop. And again, it asked for Bitlocker recovery key before Windows bootup.
8. This time, I noticed the Key ID is not the same one that initially came with the laptop. And the initial Recovery key is no longer working. I think I probably have to enter the recovery key generated when the 2nd partition is encrypted. But the key file is saved to OS drive, and I cannot access it.

My questions are:
1. How come the Bitlocker recovery key for booting into Windows has changed after I enabled Bitlocker on the 2nd partition?
2. Any way to recover?

Thanks for any help!
0
McKnifeCommented:
1 there's no explanation for this. But I can tell you (as I have encrypted hundreds of installations with BL) that recovery keys will match forever unless we decrypt and re-encrypt the drive. So if your steps listed were carried out that way, there's no explanation the KeyID (and the key) would change for c:
I have done what you did (first c:, then d: with auto-unlock) dozens of times - it just works as expected.

2 Key IDs don't change. There are bugs in bitlocker, too, but IDs don't change. That ID you see in the prompt you are facing will belong to some encrypted partition. Your list of steps cannot be complete, although I guess you are sure it is.
To recover your data (if any is saved on it), boot windows setup and instead of going into the installation menu, press shift F10, this will bring up a command prompt. On that prompt, you can start notepad and use notepad's file open dialog to see the drive letters. After making out the drive letter for your c: partition and data partition, return to the command prompt and use
manage-bde -status c:
(c: is an example letter) to get the status of the drive and
manage-bde -protectors -get c:
to get the protector ID of c:
If that ID matches what you have printed, you can use the recovery key this way:
manage-bde -unlock c: -rp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Cworker SmithAuthor Commented:
Thanks McKnife.

My drive partitions:
c: manufacturer recovery partition
d: OS partition
e: Data partition

It's weird the manage-bde status command shows lots of 'Unknown':

>manage-bde -status d:

Volume D: [Label Unknown]
[Data Volume]
    Size:                 Unknown GB
    BitLocker Version:    Windows 7
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    AES 128 with Diffuser
    Protection Status:    Unknown
    Lock Status:          locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        TPM
        Numerical Password


>manage-bde -status e:
Volume E: [Label Unknown]
[Data Volume]
    Size:                 Unknown GB
    BitLocker Version:    Windows 7
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    AES 128 with Diffuser
    Protection Status:    Unknown
    Lock Status:          locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        Numerical Password
        External Key

I've tried manage-bde -unlock d: -rp with the original recovery key, but it failed on both d: and e:.
0
McKnifeCommented:
The status will present lots of "unknowns", that's normal, because the drive is locked.
But what about my other command, manage-bde -protectors -get c:?
What ID did it show, the expected one or an unknown one, or what?
0
McKnifeCommented:
Another comment: the external key you used for d: was saved to c: ...
This is of course a bad idea. Luckily, with win8.x and 10, we cannot do this anymore, we have to save it elsewhere.
0
Cworker SmithAuthor Commented:
I ran manage-bde -protectors -get d: (and on e:)
I got unknown IDs (different from the original ID that came with laptop) for both partitions.

I know I made a mistake saving the key file to C, thinking as long as I have the original recovery key to OS partition, I can always look up the file. (Bad idea)

I still could not understand why the ID and recovery key to OS partition was changed. All I did was enabling Bitlocker on the new partition, without changing anything to OS partition.

Well, is there anything I can do? Or I just have to wipe out and re-install the drive?

Thanks!
0
McKnifeCommented:
Nothing you can do, sorry. Or do you have a backup of c: somewhere?
0
Cworker SmithAuthor Commented:
The problem is solved. It turned out it's caused by the enterprise key change from the company IT.

Thanks, McKnife.
0
Cworker SmithAuthor Commented:
learned a lot from your response. Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.