Microsoft KB Archive/933637

From BetaArchive Wiki

Article ID: 933637

Article Last Modified on 5/3/2007


APPLIES TO

  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Ultimate


SUMMARY

The release of Windows Vista Ultimate and Windows Vista Enterprise editions allows for disk level encryption of the system drive by using Control Panel. The system drive is also known as the "OS volume." The functionality present in Windows Vista does not explicitly block encryption of additional volumes. However, you should understand that encryption of volumes other than the OS volume is untested. Therefore, encryption of volumes other than the OS volume is unsupported in Windows Vista.

Important When you encrypt any volume by using BitLocker, you must consider the safe and secure storage of the Recovery Password and of the Recovery Key for that volume. Encryption of non-OS volumes is completed at your own risk. Changes to this support policy are a consideration for future releases. Realize that you should disable the autounlock feature, or you should decrypt the data volume, before any operating system upgrade. This is because the autounlock keys will be encrypted after the upgrade.

This article describes how to use the Manage-bde.wsf script to encrypt data volumes in Windows Vista. This script lets you do the following:


  • Determine which volumes can be encrypted.
  • Encrypt a volume.
  • View the progress of an encryption.
  • Lock an encrypted volume.
  • Manually unlock an encrypted volume.
  • Automatically unlock an encrypted volume.
  • Decrypt an encrypted volume.
  • View Help for the Manage-bde.wsf script.


INTRODUCTION

This article describes how to use the Manage-bde.wsf script to encrypt data volumes.

When you encrypt a volume, we recommend that you store the Recovery Password and the Recovery Key in a safe location. Before you apply a service pack to the operating system, you must disable the autounlock option, or you must decrypt the data volume. The autounlock keys will be encrypted after the upgrade.

MORE INFORMATION

How to determine which volumes can be encrypted

To determine which volumes can be encrypted, log on as an administrator, and then type the following command at a command prompt:

cscript manage-bde.wsf -status


When you run this command, all the volumes that can be encrypted are listed in the output. For example, the following output shows that only volume D and volume R can be encrypted. 

Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume D: [TestVol]
[Data Volume]

    Size:                 10.51 GB
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100%
    Encryption Method:    AES 128 with Diffuser
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Automatic Unlock:     Disabled
    Key Protectors:
        External Key
        Numerical Password
        External Key

Volume R: [New Volume]
[Data Volume]

    Size:                 21 GB
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

How to encrypt a volume

To encrypt a volume and to automatically generate a Recovery Password and a Recovery Key, follow these steps:

  1. Click Start [GRAPHIC: Start Button], type cmd in the Start Search box, right-click Command Prompt, and then click Run as administrator.

    [GRAPHIC: User Access Control permission] If you are prompted for an administrator password or for confirmation, type the password, or click Allow.

  2. At the command prompt, type the following command, and then press ENTER:

    cscript %systemroot%\system32\manage-bde.wsf –on Volume: -rp -rk PathtoExternalKeyDirectory:\

    For example, to encrypt volume D and to store the Recovery Key on drive J, type the following command at the command prompt, and then press ENTER:

    cscript %systemroot%\system32\manage-bde.wsf -on D: -rp -rk J:\

    The script output will resemble the following.

    Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Volume D:
[Data Volume]
Key Protectors Added:

    Recovery Key:
      ID: {EF6C7E8C-2F06-4E61-90EA-60F31DF5D04D}
      External Key File Name:
        EF6C7E8C-2F06-4E61-90EA-60F31DF5D04D.BEK

    Saved to directory j:\

    Numerical Password:
      ID: {F8BA6EED-29D2-405D-801B-4F28E5C4DE4F}
      Password:
        413831-618057-226688-220286-028061-227051-099847-594869

ACTIONS REQUIRED:

    1. Save this numerical Recovery Password in a secure location away from
    your computer:

    413831-618057-226688-220286-028061-227051-099847-594869

    To prevent data loss, save this password immediately. This password helps
    ensure that you can unlock the encrypted volume.

Encryption is now in progress.

Note After you turn on the encryption for a volume, you must follow the steps that are listed in the "ACTIONS REQUIRED" section of the script output. If the Recovery Key is damaged or missing, you can also unlock the volume by using the numeric Recovery Password in the output. For more information, see “How to unlock an encrypted volume” section.

How to view the progress of an encryption

To view the progress of an encryption, run the FVENotify utility at the command prompt during the encryption process. To locate the path of the FVENotify utility, type FVENotify in the Start Search box.

How to lock an encrypted volume

After you encrypt a volume, it remains unlocked. To lock the volume, use one of the following methods:

  • Restart your computer.
  • At a command prompt, type the following command:

    cscript Manage-bde.wsf –lock Volume:

Note If there is an open file or an open directory on the encrypted volume, you receive the following error message when you try to lock the volume:

An error occurred while locking the volume. (code 0x80070005) Permission denied

To close all open handles before you run the Manage-bde.wsf script, use the –ForceDismount parameter together with the Manage-bde.wsf script.

After an encrypted volume is locked, the encrypted volume has a file system label of RAW. You have no access to the encrypted volume.

How to manually unlock an encrypted volume

To unlock an encrypted volume, type the following command at a command prompt, and then press ENTER:

cscript %systemroot%\system32\manage-bde.wsf –unlock Volume: -rk PathToExternalKeyFile:\External Key File Name


For example, if you want to unlock volume D and if you have stored the Recovery Key on the drive J, type the following command at the command prompt, and then press ENTER:

cscript %systemroot%\system32\manage-bde.wsf –unlock D: -rk J:\External Key File Name


Note The external key file name is listed in the script output.

If the Recovery Key is damaged or missing, you can still unlock the volume. To do this, type the following command at the command prompt:

cscript %systemroot%\system32\manage-bde.wsf –unlock Volume: -rp Numeric Recovery Password


Note The numeric Recovery Password is listed in the script output.

How to automatically unlock an encrypted volume

You will have no access to an encrypted volume after you restart the computer. However, you can access the encrypted volume if you enable the autounlock option for the volume. After you enable this option, the encrypted volume is automatically unlocked when Windows Vista mounts the volume during startup.

You can enable the autounlock option for an encrypted volume if the following conditions are true:

  • The encrypted volume is unlocked when you enable the autounlock option. If the volume is locked, unlock the volume, enable the autounlock option, and then lock the volume again.
  • The operating system volume is encrypted. If you have not encrypted the operating system volume, you receive the following error message when you enable the autounlock option for an encrypted volume:

    An error occurred while enabling the volume for auto-unlocking. (code 0x80310020)

To enable the autounlock option for an encrypted volume:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock –enable Volume:


For example, if you want to automatically unlock volume D during Windows Vista startup, type the following command at the command prompt, and then press ENTER:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock –enable D:


How to decrypt an encrypted volume

To decrypt an encrypted volume, use one of the following methods.

Method 1

At a command prompt, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf –off Volume:


Method 2

  1. In Control Panel, click Security.
  2. Click BitLocker Drive Encryption.
  3. Click Turn off BitLocker for the desired volume.
  4. Click Decrypt the volume.

How to view Help for the Manage-bde.wsf script

To view quick Help for this script, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock -?


To view more detailed Help for this script, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf –autounlock -h


REFERENCES

For more information about how to encrypt a volume in Windows Vista, visit the following Microsoft Web sites:

Secure Hardware Overview


http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx


Windows BitLocker Drive Encryption Step-by-Step Guide


http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true


Keywords: kbexpertiseadvanced kbscript kbhowto KB933637



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/933637&oldid=260586
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki