Manage BitLocker From Command Line, Manually Set Key to Same on All Systems

hsehestedt · Nov 22, 2024

I use BitLocker on the OS drive of every one of my systems. I have always found it to be a pain to manage all the BitLocker keys. Yes, I can store them online, and I even wrote a program to manage keys. But there is a much easier way that I thought I would share:

You can manually change the BitLocker key. I have done this so that all of my systems use the same key and it is a key that I can work out in my head so I have no need to record it anywhere.

To change the key, you need to first disable the existing key, then create a new key of your choosing.

NOTE: Changing the key does NOT require the drive to be re-encrypted. The change happens immediately. Here is how to accomplish this:

Change the Encryption Key on an OS Drive

Get the ID of the BitLocker encrypted volume like this:

manage-bde C: -protectors -get -type RecoveryPassword

NOTE: The ID shown in the next command below is only an example. Make sure to replace it with the ID you obtained in the above command.

Delete the current numerical password key:

manage-bde C: protectors -delete -id {48FFDC29-66BA-4C31-974F-407B06A3F7AB}

Create a new numerical password key:

manage-bde C: protectors -add -rp Numerical_Password_Key

IMPORTANT:

1) The Numerical Password Key is a 48-digit key made up of 8 groups of 6 numeric digits each.
2) Each 6-digit group must be evenly divisible by 11.
3) Each group of 6 digits must be less than 720896.
4) You can specify the key as one long string of 48 digits or as 8 groups of 6 digits each with a "-" separating each group.

As a bonus, below are all my notes on managing BitLocker from a command line. This is useful for scripting or if you are working with a headless system since some GUI BitLocker operations are not allowed via Remote Desktop but the command line options will work just fine. I put these notes in a code block simply because the formatting is much easier to read that way.

Code:

Managing BitLocker from the Command Line


Before you follow any of the steps below, note that you should replace drive letters that I show in the commands, such as C: or D:, with the correct
drive letter for your system.


*****************************
* Working with the OS Drive *
*****************************

   ********************************************
   * Encrypting an OS Drive not Yet Encrypted *
   ********************************************

If the drive is not yet encrypted, you can enable encryption like this:

manage-bde -on C: -rp -used -s -em xts_aes128

NOTE: The above command does not allow you to specify the key to be used. If you want to use a specific key, first encrypt the OS drive using the
command above (or use the GUI). Then use the steps below to change the key to a specific key that you can specify.

   ********************************************
   * Change the Encryption Key on an OS Drive *
   ********************************************

Get the ID of the BitLocker encrypted volume like this:

manage-bde C: -protectors -get -type RecoveryPassword

NOTE: The ID shown in the next command below is only an example. Make sure to replace it with the ID you obtained in the above command.

Delete the current numerical password key:

manage-bde C: protectors -delete -id {48FFDC29-66BA-4C31-974F-407B06A3F7AB}

Create a new numerical password key:

manage-bde C: protectors -add -rp Numerical_Password_Key

IMPORTANT:

1) The Numerical Password Key is a 48-digit key made up of 8 groups of 6 numeric digits each.
2) Each 6-digit group must be evenly divisible by 11.
3) Each group of 6 digits must be less than 720896.
4) You can specify the key as one long string of 48 digits or as 8 groups of 6 digits each with a "-" separating each group.




********************************************
* Working with Data Drives (Non-OS Drives) *
********************************************

   **********************************************
   * Encrypting a Data Drive (NOT the OS Drive) *
   **********************************************

To encrypt a data drive (NOT the OS drive), follow these steps:

manage-bde -on D: -pw -used -em xts_aes128

You will be asked to supply a password and then asked to confirm that password a second time.

   *********************************************
   * To Auto Unlock a Data Disk Once Encrypted *
   *********************************************

manage-bde -autounlock -enable D:

   ******************************
   * How to Disable Auto Unlock *
   ******************************

manage-bde -autounlock -disable D:

   *****************************************************
   * How to Clear BitLocker Auto Unlock for all Drives *
   *****************************************************

NOTE: In the command below, if your Windows drive has a drive letter other than C:, use that drive letter in the command.

manage-bde -autounlock -clearallkeys C:

   ***********************************
   * To Manually Unlock a Data Drive *
   ***********************************

manage-bde -Unlock D: -pw

pseymour · Nov 22, 2024

Eight random six-digit numbers divisible by 11... :wink:

Powershell:

720896..100000 |
ForEach-Object {
    [uint]$value = $_
    if (($value % 11) -eq 0) { Write-Output $value }
} | Get-Random -Count 8

Ghot · Nov 22, 2024

I read somewhere, that standard computers can't "really" generate random numbers.
Supposedly, you need a quantum computer for true random number generation.

This isn't where I initially read this, but it's an example...

MIT School of Engineering | » Can a computer generate a truly random number?

engineering.mit.edu

More...

Tutorial: Create a Quantum Random Number Generator - Azure Quantum

Build a Q# project that demonstrates fundamental quantum concepts like superposition by creating a quantum random number generator.

learn.microsoft.com

Just in case anyone is planning to store Swiss bank account numbers on a Bitlocked disk.

hsehestedt · Nov 22, 2024

pseymour said:
Eight random six-digit numbers divisible by 11...

Powershell:

720896..100000 | ForEach-Object { [uint]$value = $_ if (($value % 11) -eq 0) { Write-Output $value } } | Get-Random -Count 8

LOL. My whole point is to NOT use random numbers. I use a scheme that uses numbers that have meaning to me. If I were just going to use random numbers then I would have no need to change the key in the first place unless my only goal was to make the key on all systems the same.

hsehestedt · Nov 22, 2024

Ghot said:
I read somewhere, that standard computers can't "really" generate random numbers.
Supposedly, you need a quantum computer for true random number generation.

This isn't where I initially read this, but it's an example...

MIT School of Engineering | » Can a computer generate a truly random number?

engineering.mit.edu

More...

Tutorial: Create a Quantum Random Number Generator - Azure Quantum

Build a Q# project that demonstrates fundamental quantum concepts like superposition by creating a quantum random number generator.

learn.microsoft.com

Just in case anyone is planning to store Swiss bank account numbers on a Bitlocked disk.

That is true. You can only get "pseudorandom numbers". If you want real random numbers, this is how to do it:

Lavarand - Wikipedia

en.wikipedia.org

pseymour · Nov 22, 2024

hsehestedt said:
LOL. My whole point is to NOT use random numbers.

Yes, I can read, thanks. As other people use this site, someone else might want to, for example, generate a set of random numbers, store them in a password manager, and use that for all disks.

hsehestedt · Nov 22, 2024

pseymour said:
Yes, I can read, thanks. As other people use this site, someone else might want to, for example, generate a set of random numbers, store them in a password manager, and use that for all disks.

Got it. Thanks for the clarification.

garlin · Dec 2, 2024

hsehestedt said:
3) Each group of 6 digits must be less than 720896.

That's incorrect, the maximum for a 6-digit number is 720885 (65535 * 11).

ProtectKeyWithNumericalPassword method of the Win32_EncryptableVolume class - Win32 apps

Secures the volume's encryption key with a specially formatted 48-digit password.

learn.microsoft.com

pseymour said:
Eight random six-digit numbers divisible by 11...

Powershell:

720896..100000 | ForEach-Object { [uint]$value = $_ if (($value % 11) -eq 0) { Write-Output $value } } | Get-Random -Count 8

Aren't you weakening security by limiting yourself to a non-repeating pool of numbers, which can also span individually from 0 to 720885?

Code:

(1..8 |% { ((Get-Random -Maximum 65536) * 11).ToString('000000') }) -join '-'

071566-304865-167200-086988-424776-099363-241296-266266

pseymour · Dec 2, 2024

garlin said:
That's incorrect, the maximum for a 6-digit number is 720885 (65535 * 11).

ProtectKeyWithNumericalPassword method of the Win32_EncryptableVolume class - Win32 apps

Secures the volume's encryption key with a specially formatted 48-digit password.

learn.microsoft.com

Aren't you weakening security by limiting yourself to a non-repeating pool of numbers, which can also span individually from 0 to 720885?

Code:

(1..8 |% { ((Get-Random -Maximum 65536) * 11).ToString('000000') }) -join '-' 071566-304865-167200-086988-424776-099363-241296-266266

This whole thread is about weakening security. It was just some sample PowerShell code. Calm down; I won’t do it again.

garlin · Dec 2, 2024

Normally I'm not pedantic when it comes to scripting, but...

Just wanted other folks to know you can use more randomness, when creating a BitLocker numerical password.

cereberus · Dec 2, 2024

Seriously?

None of my data on my hard drives is so confidential that I have to worry about somebody with skills to break bitlocker generated passwords by brute force, and degree of randomness.

If my laptop gets stolen, it would be far easier to break my Windows password by orders of magnitude, and once that is broken, Bitlocker is pretty useless you set up laptop to require a password every time you log in rather than auto unlock.

Worrying about randomness of a bitlocker password is almost as bad as laying awake as wondering if there is such a thing as a DOG.

hsehestedt · Dec 2, 2024

garlin said:
That's incorrect, the maximum for a 6-digit number is 720885 (65535 * 11).

LOL. I see what you are saying, but I am 100% correct. 720896 is one multiple of 11 higher, in other words 65536 * 11. I had said that it must be less than that value, so one step less is 720885 as you noted. We are saying the same thing, only differently.

The value must be less than 720896
The value must be less than or equal to 720885

Both of the above statements are saying the same thing. Bottom line is that I was NOT incorrect, I merely expressed it differently than did you.

Manage BitLocker From Command Line, Manually Set Key to Same on All Systems

Well-known member

My Computers

Windows developer and admіn

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Windows developer and admіn

My Computers

Well-known member

My Computers

Well-known member

My Computer

Windows developer and admіn

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Similar threads