Where is my bitlocker .BEK file?
According to documentation, this command would create the recovery key on what was the current working directory of the F:
drive at the time you rand that command.
There is a difference between F:\
and F:
: the former refers to the root directory of the F:
drive, the latter refers to the current working directory of the F:
drive in your current command prompt session.
Since the days of MS-DOS, the DOS/Windows command prompt has remembered one working directory per drive. So, if before running the manage-bde -on
command, you had been doing something on the F:
drive and had issued a command like:
F:\> cd some\directory\deep\in\the\hierarchy
then using just F:
without the backslash would still refer to F:\some\directory\deep\in\the\hierarchy
, even if you had switched to a different drive after that. And if you really used just F:
without the backslash in the command to enable Bitlocker for drive G:, that's where the recovery key file would have been created.
So, the external key file would have to be on the F:
drive, but not necessarily in the root directory of that drive. Or if your F:
is a removable drive, the key file would be on the drive that was F:
at the time you ran the command to enable BitLocker on G:
.
If you have already searched your entire F:
drive for *.BEK
files and found nothing, it's possible that you have accidentally deleted the recovery key file. If so, then you should create a new recovery key file right now, before you do anything else.
If anything bad happens to your system disk, this single action might be worth all the data you currently have on your G:
drive, since without a usable recovery key, the data will be as good as gone if the system disk fails.
manage-bde -protectors -add G: -recoverykey X:\some\directory\you\will\definitely\remember\from\now\
Choose a path for the recovery key directory that will be appropriate to your environment.
Once you have verified that the new recovery key has been successfully created, and have backed up the recovery key file securely, it is time to invalidate the old recovery key file:
manage-bde -protectors -delete G: -id {1F82A2C4-9408-4422-92A0-ECA7D278D18B}
Explanation: like several other disk encryption solutions, Bitlocker has a master key that is actually used to encrypt the data on a drive. Changing the master key is a slow and difficult operation as it requires decrypting and re-encrypting the whole drive. So, the user is never allowed to access this master key directly.
Instead, the encrypted drive holds the master key in an encrypted form (or optionally several copies of it in several encrypted forms). Each method to unlock the encryption acts as a key to decrypt just one particular encrypted copy of the master key, which in turn allows using the master key to unlock the disk encryption.
If your system has a TPM, your encrypted disk can be unlocked automatically for you since one copy of the encrypted master key is stored so that only the individual TPM chip in your system can provide the decryption key for it.
Each recovery key file actually holds a secondary key that can decrypt its assigned copy of the master key on the encrypted disk. This allows you to create multiple recovery key files - and also to invalidate any one them with only the recovery key ID being known, without having to change the actual master key, by just destroying the corresponding copy of the master key on the encrypted drive.