Manage bde: the BitLocker tool in command prompt
disk-partition-formatting 2020-11-12 18:40:39
Manage-bde is a command line tool for administering BitLocker . You can embed it in s or use it to manage your encrypted disks from the Windows command prompt
. Indeed, manage-bde offers additional options not present in the BitLocker control panel. In this article, you will see how to use manage-bde to manage and administer the encryption of your disks .
Table of contents 1 Introduction to manage-bde 1.1 The parameters of manage -bde 1.2 Manage the protection methods of the encryption key BitLocker 2 Manage -bde: the BitLocker tool in command prompt 2.1 Encrypt a disk with BitLocker 2.1.1 Add protection of the private key and encrypt the disk 2.2 Encrypt system disk with BitLocker 2.3 Lock, unlock an encrypted disk 2.4 Display the status of an encrypted disk 2.5 Change password or the PIN code 2.6 Manage the protections of the encryption key (protectors) 2.7 Decrypt and disable BitLocker encryption 3 Links 4 Introduction to manage-bde The parameters of manage-bde Like all Windows commands, we use the parameter /? to display the help and get the list of parameters: manage-bde /?
Which gives this list and following table. Parameters Deionstatus Provides information on volumes compatible with BitLocker . on Encrypts the volume and turns on BitLocker protection. off Decrypts the volume and disables BitLocker protection. pause Pauses encryption, decryption, or clearing of free space. resume Resumes encryption, decryption, or clearing of free space lock Prohibits access to data encrypted by BitLocker unlock Allows access to data encrypted by BitLocker. autounlock Handles automatic unlocking of data volumes protectors Handles methods of protection for the encryption key. See next paragraph SetIdentifier Configure the identification field for a volume ForceRecovery Force recovery of a BitLocker protected operating system during startup changepassword Change password for a data volume changepin Change PIN code for a volume changekey Modifies the startup key for a volume KeyPackage (or -kp) Generate a key package for a volume upgrade Upgrade the version of BitLocker WipeFreeSpace (or -w) Clear free space on the volume ComputerName (or -cn) Runs on another computer List of manage-bde parameters and commands Manage BitLocker encryption key protection methods To protect the volume encryption key, BitLocker adds layers to protect it, called protectors. manage-bde allows to manage the protection methods of the BitLocke encryption key r via the -protectors parameter . This allows to configure how the encryption key is protected and how Windows will decrypt the disk when the PC starts up. Three methods are possible: automatically via the secure platform TPM - TPM (Trusted Platform Module)
entering a digital password a certificate file insertion from a USB key Several protectors of type Numeric password / Recovery password can be active on a volume . For this several sub-parameters to -protectors can be used: Parameters Deion get Displays all the key protection methods enabled ondrive and provide their type and identifier (ID) add Add key protection methods as specified using additional -add parameters delete Removes key protection methods used by BitLocker. When a drive"s last protector is removed, BitLocker protection for the drive is disabled to ensure that data access is not inadvertently lost disable Disables protection, which will allow anyone to access encrypted data by making the encryption key available unsecured on the disk. No key protector is removed. Protection will resume the next time Windows starts unless the optional -disable parameters are used to specify the number of restarts enable Enables protection by removing the insecure encryption key from the drive. All protectorKey s configured on the drive will be applied adbackup Backs up all recovery information for the specified drive in Active Directory Domain Services (AD DS) aadbackup Backs up all recovery information for the specified drive in Azure Active Directory (Azure AD) List of manage-bde protectors sub-parameters Some additional information about BitLocker encryption methods: An AES128 symmetric encryption key
is used to encrypt the volume itself. To change this volume encryption key, you must re-encrypt the entire volume. BitLocker never changes the volume encryption key (unless BitLocker is turned off [not suspended] and then back on. Different types of protectors exist Any single protectorcan unlock the volume encryption key by itself. Manage- bde: the BitLocker tool in command prompt Encrypt a disk with BitLocker Encrypting a disk with BitLocker from the command line with manage-bde is not complicated. You need: first use the command with the -protectors parameter to indicate the type of protection of the encryption key then we pass the command to encrypt the disk with the -on option and the drive letter of the disk Add private key protection and encrypt thedisk In this example, we use manage-bde to encrypt the C drive . Before that, we create a startup key needed for BitLocker on USB drive E :. After BitLocker encryption is complete, the USB startup key must be inserted before you can start the operating system. This is for use on PCs without TPM (Trusted Platform Module)
. manage-bde –protectors -add C: -startupkey E: manage-bde -on C: In this other example, we protect the encryption key with a password , using manage-bde like this: manage-bde -protectors -add -pw C: manage-bde -on C: And if you want to encrypt a disk with a certificate file from the command line: manage-bde -protectors -add E: -certificate -cf c: File Folder Filename.cer manage-bde -on E: Finally on PCs with TPM support, the encryption key then uses the secure platform and Windows can start without a USB key or password. manage-bde -on C: As stated before, you can define multiple encryption key protections . For example, if you have set TPM and password, you can make TPM privileged with these commands. Activate TPM in this way: manage-bde tpm -turnon To take ownership of the TPM and set the owner"s password on MalekalcomSuperSite666, type: manage-bde tpm takeownership MalekalcomSuperSite666 The status command allows you to check the protections used. See the paragraph below in this article for more details. Encrypt system disk with BitLocker Here are the complete steps for encrypt the system disk with BitLocker using manage-bde . In this example, we use password protection. Which gives: manage-bde -protectors -add -pw C: manage-bde -on C: After the first command, you must enter the password twice. Then you are told that you must restart the PC in order to test the hardware.
Then we enter the password to decrypt the drive BitLocker.
If all goes well , disk encryption begins. You can check its progress with the -status parameter. manage-bde -status The information is in the percentage percentage .
Lock, unlock an encrypted disk With the parameters lock and unlock from manage-bde , you can lock and unlock an encrypted disk at any time at the command prompt. The syntax is not complex at all since it suffices to indicate theletter u encrypted drive. Which gives these examples of the following command lines. To lock disk D : manage-bde –lock D: To unlock disk D : manage-bde –unlock D: E t then if you have to unlock the disk E from from the BitLocker recovery key from the command line: manage-bde -unlock D: -RecoveryPassword Your-key-from -recover Or if the BitLocker recovery key is in the form of a file: manage- bde –unlock E: -recoverykey F: Backupkeys recoverykey.bek Display the status of an encrypted disk manage-bde allows to display the status of an online disk fromcommands. The following information is then obtained: The size of the disk The version of BitLocker used The status of conversion, indicates whether the disk is encrypted or not encrypted by BitLocker The percentage of the encrypted disk The encryption method The state of the protection (activated, deactivated, suspended) The key protectors: TPM, digital password or USB key On an unencrypted disk, the conversion status is fully decrypted .
On a disk encrypted by BitLocker, we get this. In particular here we see the method of encryption in XTS-AES 128 . The state is unlocked and therefore the data is accessible. Finally the protection of the key is done by TPM and numeric password.
Change password or PIN code manage-bde also manages changes of passwords or PIN code of your BitLocker encrypted drives. To change the password used to unlock BitLocker on data drive D, type: manage-bde -changepassword E: To change the PIN code used with BitLocker on drive E, type: manage-bde -changepin E: As a bonus, to create a new startup key on drive E, for use with BitLocker encryption on drive C, type: manage-bde -changekey C: E: Manage the protections of the encryption key (protectors) The -protectors parameter of manage-bde is used to manage the protection of the BitLocker encryption key in the command prompt. You can: -add : add protection to the key -delete : remove protection from the key -disable : deactivate the protector and reactivate it in X restart Deactivate the protector by indicating with the parameter -rc in how many restarts it must be reactivated. For example, to disable the protection of disk C and re-enable it in two reboots: manage-bde -protectors -disable C: -rc 2 For PCs in companies, it is also possible to save the protection in Active Directory thanks to the parameter -adbackup : manage-bde -protectors -adbackup C: To remove all TPM based key protectors and startup keys on drive C, type: manage-bde -protectors -delete C: -type tpmandstartupkey Note that you can also completely empty the TPM data via the following command: Clear-TPM For more details: Enable / disable TPM on Windows 10 and in the BIOS of your PC
Decrypt and disable BitLocker encryption Finally here is how to decrypt the drive and disable BitLocker in liorders. In this example, we disable BitLocker on drive C: manage-bde –off C: All key protectors are removed after decryption is complete. Links BitLocker: encrypt your Windows 10 Pro system disk BitLocker: use a recovery key How to encrypt (encrypt) your USB drive with BitLocker Enable / disable TPM on Windows 10 and in the BIOS of his PC What is TPM (Trusted Platform Module)?
You found this article useful and interesting, do not hesitate to share it ... Manage-bde: the BitLocker tool in command prompt