Microsoft KB Archive/933637

= How to encrypt data volumes in Windows Vista =

Article ID: 933637

Article Last Modified on 5/3/2007

-

APPLIES TO


 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Enterprise
 * Windows Vista Ultimate

-



SUMMARY
The release of Windows Vista Ultimate and Windows Vista Enterprise editions allows for disk level encryption of the system drive by using Control Panel. The system drive is also known as the &quot;OS volume.&quot; The functionality present in Windows Vista does not explicitly block encryption of additional volumes. However, you should understand that encryption of volumes other than the OS volume is untested. Therefore, encryption of volumes other than the OS volume is unsupported in Windows Vista.

Important When you encrypt any volume by using BitLocker, you must consider the safe and secure storage of the Recovery Password and of the Recovery Key for that volume. Encryption of non-OS volumes is completed at your own risk. Changes to this support policy are a consideration for future releases. Realize that you should disable the autounlock feature, or you should decrypt the data volume, before any operating system upgrade. This is because the autounlock keys will be encrypted after the upgrade.

This article describes how to use the Manage-bde.wsf script to encrypt data volumes in Windows Vista. This script lets you do the following:


 * Determine which volumes can be encrypted.
 * Encrypt a volume.
 * View the progress of an encryption.
 * Lock an encrypted volume.
 * Manually unlock an encrypted volume.
 * Automatically unlock an encrypted volume.
 * Decrypt an encrypted volume.
 * View Help for the Manage-bde.wsf script.



INTRODUCTION
This article describes how to use the Manage-bde.wsf script to encrypt data volumes.

When you encrypt a volume, we recommend that you store the Recovery Password and the Recovery Key in a safe location. Before you apply a service pack to the operating system, you must disable the autounlock option, or you must decrypt the data volume. The autounlock keys will be encrypted after the upgrade.



How to determine which volumes can be encrypted
To determine which volumes can be encrypted, log on as an administrator, and then type the following command at a command prompt:

cscript manage-bde.wsf -status

When you run this command, all the volumes that can be encrypted are listed in the output. For example, the following output shows that only volume D and volume R can be encrypted. Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with BitLocker Drive Encryption: Volume D: [TestVol] [Data Volume]

Size:                10.51 GB    Conversion Status:    Fully Encrypted Percentage Encrypted: 100% Encryption Method:   AES 128 with Diffuser Protection Status:   Protection On    Lock Status:          Unlocked Automatic Unlock:    Disabled Key Protectors: External Key Numerical Password External Key

Volume R: [New Volume] [Data Volume]

Size:                21 GB    Conversion Status:    Fully Decrypted Percentage Encrypted: 0% Encryption Method:   None Protection Status:   Protection Off Lock Status:         Unlocked Automatic Unlock:    Disabled Key Protectors:      None Found

How to encrypt a volume
To encrypt a volume and to automatically generate a Recovery Password and a Recovery Key, follow these steps:  Click Start, type cmd in the Start Search box, right-click Command Prompt, and then click Run as administrator.

If you are prompted for an administrator password or for confirmation, type the password, or click Allow.  At the command prompt, type the following command, and then press ENTER:

cscript %systemroot%\system32\manage-bde.wsf –on : -rp -rk  :\

For example, to encrypt volume D and to store the Recovery Key on drive J, type the following command at the command prompt, and then press ENTER:

cscript %systemroot%\system32\manage-bde.wsf -on D: -rp -rk J:\

The script output will resemble the following. Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved.

Volume D: [Data Volume] Key Protectors Added:

Recovery Key: ID: {EF6C7E8C-2F06-4E61-90EA-60F31DF5D04D} External Key File Name: EF6C7E8C-2F06-4E61-90EA-60F31DF5D04D.BEK

Saved to directory j:\

Numerical Password: ID: {F8BA6EED-29D2-405D-801B-4F28E5C4DE4F} Password: 413831-618057-226688-220286-028061-227051-099847-594869

ACTIONS REQUIRED:

1. Save this numerical Recovery Password in a secure location away from your computer:

413831-618057-226688-220286-028061-227051-099847-594869

To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encrypted volume.

Encryption is now in progress. 

Note After you turn on the encryption for a volume, you must follow the steps that are listed in the &quot;ACTIONS REQUIRED&quot; section of the script output. If the Recovery Key is damaged or missing, you can also unlock the volume by using the numeric Recovery Password in the output. For more information, see “How to unlock an encrypted volume” section.

How to view the progress of an encryption
To view the progress of an encryption, run the FVENotify utility at the command prompt during the encryption process. To locate the path of the FVENotify utility, type FVENotify in the Start Search box.

How to lock an encrypted volume
After you encrypt a volume, it remains unlocked. To lock the volume, use one of the following methods:  Restart your computer. At a command prompt, type the following command:

cscript Manage-bde.wsf –lock :



Note If there is an open file or an open directory on the encrypted volume, you receive the following error message when you try to lock the volume:

An error occurred while locking the volume. (code 0x80070005) Permission denied

To close all open handles before you run the Manage-bde.wsf script, use the –ForceDismount parameter together with the Manage-bde.wsf script.

After an encrypted volume is locked, the encrypted volume has a file system label of RAW. You have no access to the encrypted volume.

How to manually unlock an encrypted volume
To unlock an encrypted volume, type the following command at a command prompt, and then press ENTER:

cscript %systemroot%\system32\manage-bde.wsf –unlock : -rk  \

For example, if you want to unlock volume D and if you have stored the Recovery Key on the drive J, type the following command at the command prompt, and then press ENTER:

cscript %systemroot%\system32\manage-bde.wsf –unlock D: -rk J:\

Note The external key file name is listed in the script output.

If the Recovery Key is damaged or missing, you can still unlock the volume. To do this, type the following command at the command prompt:

cscript %systemroot%\system32\manage-bde.wsf –unlock : -rp

Note The numeric Recovery Password is listed in the script output.

How to automatically unlock an encrypted volume
You will have no access to an encrypted volume after you restart the computer. However, you can access the encrypted volume if you enable the autounlock option for the volume. After you enable this option, the encrypted volume is automatically unlocked when Windows Vista mounts the volume during startup.

You can enable the autounlock option for an encrypted volume if the following conditions are true:  The encrypted volume is unlocked when you enable the autounlock option. If the volume is locked, unlock the volume, enable the autounlock option, and then lock the volume again.</li> The operating system volume is encrypted. If you have not encrypted the operating system volume, you receive the following error message when you enable the autounlock option for an encrypted volume:

An error occurred while enabling the volume for auto-unlocking. (code 0x80310020)

</li></ul>

To enable the autounlock option for an encrypted volume:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock –enable :

For example, if you want to automatically unlock volume D during Windows Vista startup, type the following command at the command prompt, and then press ENTER:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock –enable D:

How to decrypt an encrypted volume
To decrypt an encrypted volume, use one of the following methods.

Method 1
At a command prompt, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf –off :

Method 2

 * 1) In Control Panel, click Security.
 * 2) Click BitLocker Drive Encryption.
 * 3) Click Turn off BitLocker for the desired volume.
 * 4) Click Decrypt the volume.

How to view Help for the Manage-bde.wsf script
To view quick Help for this script, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock -?

To view more detailed Help for this script, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock -h

<div class="references_section">