I’ve enabled BitLocker for my drives with command prompt days before. And I remember that I have saved this external key and recovery key to a specific location. But the weird thing is I can’t find both of them at the same location. How can I retrieve it? And can I unlock the BitLocker drive with only BitLocker BEK file?
Don’t worry, it’s easy to retrieve your BitLocker Bek File from the file system and use this BitLocker Bek File to unlock your drive.
If you’ve added extra protection for your BitLocker drive, such as BitLocker password, then you can unlock your drive with this password. If you only encrypt your drive with BitLocker External key and Recovery key, then you may need to find where your BitLocker Bek File or BitLocker Recovery Key file is first.
The ".BEK" file is a recovery key file used by BitLocker, a built-in encryption feature in Windows. When BitLocker encrypts a drive, it creates a recovery key to help users regain access to their encrypted data if they forget their password or if the system detects potential security risks.
The file is a binary file format containing critical information needed to unlock the drive. It is typically generated when BitLocker is initially set up and can be saved to drives, including USB drive.
The ".BEK" file serves as a safeguard, ensuring that you can recover your data even if you cannot remember your BitLocker password.
Microsoft BitLocker supports adding both external key and recovery key protectors when enable BitLocker Drive Encryption. The steps are as follows:
Step 1 Ensure your drive is BitLocker-enabled. If not, run the following command to enable BitLocker for your drive:
manage-bde -on g:
Step 2 Then execute the command below to add key protectors for the drive:
manage-bde -protectors -add g: -rp -rk d:/test/
"g:" is the drive letter you want to encrypt, and the d:/test/ is the location where to store your BitLocker BEK file.
Step 3 You should copy this information, including the location and filename of the BitLocker BEK file, as well as the recovery key file name and recovery key, into a separate document and save it in a secure location.
Step 4 Re-execute the first command to enable BitLocker Protection for the drive.
Note: If you saved the BitLocker BEK file to a USB drive, you only need to insert the USB drive and choose to "Load from USB drive" in the unlock window, and the system will automatically load the BEK file to unlock the drive. However, if you accidentally lost the USB drive or delete the BEK file from the USB flash drive, you may not be able to unlock the drive with this option.
If you enabled BitLocker encryption following the above steps but did not copy and save the corresponding important information, you will not be able to recover the BitLocker recovery key.
When you need to unlock the BitLocker drive, it only provides the options for the recovery key and "Load from USB drive". However, if you saved it to a disk on your computer instead of a USB drive, you cannot use this option and will encounter the following error.
Therefore, you cannot directly unlock the BitLocker drive in this way. You need to firstly find BitLocker BEK file location and use the command line to unlock it:
Step 1 Run an elevated command prompt, and execute the following command:
manage-bde -protectors -get g:
Here you can see the BitLocker BEK file name for the drive and the recovery key ID.
Step 2 Go to the location where you stored the BitLocker BEK file. Typically, it is hidden.
Step 3 Click the "View" tab, select "Options" from the menu bar, and then click "Change folder and search options".
Step 4 In the pop-up window, select the "View" tab. Locate the "Hidden files and folders" section, and select "Show hidden files, folders, or drives".
Step 5 More importantly, scroll down and find and uncheck "Hide protected operating system files" option. When a warning window occurs, choose "yes".
Step 6 Click "Apply" -> "OK" to save the settings.
Now you should now be able to see the BEK file you previously saved.
Once you have located your ".BEK" file and get the BitLocker BEK file name for the drive, you can use it to unlock your BitLocker-encrypted drive by following these steps:
Step 1 Type "cmd" in the search box, and press Enter to run it as administrator.
Step 2 Execute the following command to unlock the drive:
manage-bde -unlock g: -recoverykey "d:\test\A9EE139E-70B9-4212-B02A-874DC65B4F19.BEK"
#The "g:" is the drive to unlock, and following is the absolute file path for the BitLocker BEK file.
Now you can see that the drive is successfully unlocked. Once the drive is unlocked, you should have access to your files.
By following the steps outlined above, you can efficiently locate your ".BEK" file and use it to unlock your BitLocker-encrypted drive, ensuring that you can recover your data even in challenging situations.
For added security, always keep multiple copies of your recovery key in safe and accessible locations.
The 48-digit BitLocker recovery key is actually very important for BitLocker Drive recovery if you’ve forgot your BitLocker password and no way to unlock it.
Lydia
However, users occasionally encounter "System Cannot Find the File Specified" error that prevent BitLocker from functioning correctly.
Lydia
This "BitLocker waiting for activation" notification means that some features of BitLocker encryption have not been fully activated or configured.
Lydia
After enable Active Directory BitLocker Management, of course you can manage your BitLocker keys in ad. Here I will introduce few ways to view BitLocker recovery key in Active Directory.
Lydia
