External HDD BitLocker Key ID changed for no apparent reason (?)
Backstory
My company gave me a brand new Lenovo laptop. The previous had a TPM and BitLocker enabled, so the IT guy extracted the SSD, handed it to me with a SATA to USB adapter and gave me the 48-digit recovery key. He then proceeded to show me how to copy my data over to the new laptop, entering the 48-digit key and browsing to C:Usersusername. I copied the Desktop folder over to see if it worked but then decided to do the rest of the copy procedure later, as the files were pretty big and I needed to use the laptop in the meantime.
Back home I entered the very same key again, but it would tell me the key didn't match the disk: decryption wouldn't work. I contacted the IT team saying BitLocker wouldn't let me recover my data and they said it was due to the "Key-ID" having changed; the day after they sent me a new key-ID (which was, in fact, showed in the recovery key prompt) with a new recovery key, so I was able to successfully restore my data.
Once I was done, I also wanted to completely decrypt the BitLocker disk and make an image of it, then securely erase the disk.
The problem
Now, since managing BitLocker is - rightly - blocked due to corporate policy on the laptop, also impacting external disks though, I decided to connect the drive to my private Windows 10 desktop PC, which immediately recognized the disk, but showed a different key ID: I hadn't changed it. I tried to enter my recovery key regardless but no dice, the ID was different, and so was the required key. My desktop also has a TPM, but it's never been used with BitLocker, nor have I have used BL on it in any way or form ever. What's strange is that even after reconnecting the drive to the laptop again, the key ID remained the same as on my desktop.
I know both the original key ID and the key to it.
I also have both user access to the laptop which changed the key ID to its own (or so I guess?) and administrative access the PC which changed the key ID to the one I don't have a key for.
How can I find a way to decrypt the disk? Or is it lost forever? And why did this happen?
TL;DR
I inserted a BitLocker-encrypted disk I had a recovery key for into my non-BitLocker desktop, and it changed the Key ID rendering the drive unreadable.
windows-10 encryption data-recovery bitlocker disk-encryption
asked Jan 28 at 20:11
ManchineelManchineel
285112
|
show 2 more comments
Backstory
My company gave me a brand new Lenovo laptop. The previous had a TPM and BitLocker enabled, so the IT guy extracted the SSD, handed it to me with a SATA to USB adapter and gave me the 48-digit recovery key. He then proceeded to show me how to copy my data over to the new laptop, entering the 48-digit key and browsing to C:Usersusername. I copied the Desktop folder over to see if it worked but then decided to do the rest of the copy procedure later, as the files were pretty big and I needed to use the laptop in the meantime.
Back home I entered the very same key again, but it would tell me the key didn't match the disk: decryption wouldn't work. I contacted the IT team saying BitLocker wouldn't let me recover my data and they said it was due to the "Key-ID" having changed; the day after they sent me a new key-ID (which was, in fact, showed in the recovery key prompt) with a new recovery key, so I was able to successfully restore my data.
Once I was done, I also wanted to completely decrypt the BitLocker disk and make an image of it, then securely erase the disk.
The problem
Now, since managing BitLocker is - rightly - blocked due to corporate policy on the laptop, also impacting external disks though, I decided to connect the drive to my private Windows 10 desktop PC, which immediately recognized the disk, but showed a different key ID: I hadn't changed it. I tried to enter my recovery key regardless but no dice, the ID was different, and so was the required key. My desktop also has a TPM, but it's never been used with BitLocker, nor have I have used BL on it in any way or form ever. What's strange is that even after reconnecting the drive to the laptop again, the key ID remained the same as on my desktop.
I know both the original key ID and the key to it.
I also have both user access to the laptop which changed the key ID to its own (or so I guess?) and administrative access the PC which changed the key ID to the one I don't have a key for.
How can I find a way to decrypt the disk? Or is it lost forever? And why did this happen?
TL;DR
I inserted a BitLocker-encrypted disk I had a recovery key for into my non-BitLocker desktop, and it changed the Key ID rendering the drive unreadable.
windows-10 encryption data-recovery bitlocker disk-encryption
asked Jan 28 at 20:11
ManchineelManchineel
285112
This is a security mechanic of BitLocker. You will have to get a recovery key, associated with the new ID, in order to accomplish what you want. Your knowledge of the original key ID is not helpful in a case like this.
– Ramhound
Jan 28 at 22:44
@Ramhound I am the owner of my desktop PC and have never set up any BitLocker encryption on it, how can it have a recovery key associated with? I didn't manually re-encrypt the drive
– Manchineel
Jan 28 at 22:50
The drive was encrypted with BitLocker, it has an recovery key if it has an identification code, managed by your IT department. The ID changes are a security feature of BitLocker, to avoid malicious users, from connecting your drive to their machine. Without the recovery code what you want is impossible. Your machine having a TPM isn’t the cause here.
– Ramhound
Jan 28 at 22:52
@Ramhound The corporate IT team has zero access to my own desktop PC. Maybe my post wasn't worded perfectly, but what I did was connect the hard drive (that previously worked with the AD laptop) to a my private desktop PC, and as soon as I did, my own private PC changed the key ID. You're telling me ANY Windows 10 computer automatically annihilates any foreign BitLocker disk it meets? This doesn't make much sense to me. The key wasn't changed by the company: a hard disk cannot connect to the internet and update key IDs or stuff.
– Manchineel
Jan 28 at 23:04
You said when you first connected the drive it was ID A when you connected it the second time it was ID B and when you connected it a third time it was ID C the drive was originally managed by a domain. By design the recovery key is managed by the domain, which is how IT, was able to give you the recovery key the second time. You will have to hook it backup to the domain, get the recovery key, and turn off BitLocker at that point to accomplish what you want. Without the recovery key you will be unable to turn off BitLocker. More then willing to submit an answer indicating this.
– Ramhound
Jan 28 at 23:09
|
show 2 more comments
Backstory
My company gave me a brand new Lenovo laptop. The previous had a TPM and BitLocker enabled, so the IT guy extracted the SSD, handed it to me with a SATA to USB adapter and gave me the 48-digit recovery key. He then proceeded to show me how to copy my data over to the new laptop, entering the 48-digit key and browsing to C:Usersusername. I copied the Desktop folder over to see if it worked but then decided to do the rest of the copy procedure later, as the files were pretty big and I needed to use the laptop in the meantime.
Back home I entered the very same key again, but it would tell me the key didn't match the disk: decryption wouldn't work. I contacted the IT team saying BitLocker wouldn't let me recover my data and they said it was due to the "Key-ID" having changed; the day after they sent me a new key-ID (which was, in fact, showed in the recovery key prompt) with a new recovery key, so I was able to successfully restore my data.
Once I was done, I also wanted to completely decrypt the BitLocker disk and make an image of it, then securely erase the disk.
The problem
Now, since managing BitLocker is - rightly - blocked due to corporate policy on the laptop, also impacting external disks though, I decided to connect the drive to my private Windows 10 desktop PC, which immediately recognized the disk, but showed a different key ID: I hadn't changed it. I tried to enter my recovery key regardless but no dice, the ID was different, and so was the required key. My desktop also has a TPM, but it's never been used with BitLocker, nor have I have used BL on it in any way or form ever. What's strange is that even after reconnecting the drive to the laptop again, the key ID remained the same as on my desktop.
I know both the original key ID and the key to it.
I also have both user access to the laptop which changed the key ID to its own (or so I guess?) and administrative access the PC which changed the key ID to the one I don't have a key for.
How can I find a way to decrypt the disk? Or is it lost forever? And why did this happen?
TL;DR
I inserted a BitLocker-encrypted disk I had a recovery key for into my non-BitLocker desktop, and it changed the Key ID rendering the drive unreadable.
windows-10 encryption data-recovery bitlocker disk-encryption
asked Jan 28 at 20:11
ManchineelManchineel
285112
Backstory
My company gave me a brand new Lenovo laptop. The previous had a TPM and BitLocker enabled, so the IT guy extracted the SSD, handed it to me with a SATA to USB adapter and gave me the 48-digit recovery key. He then proceeded to show me how to copy my data over to the new laptop, entering the 48-digit key and browsing to C:Usersusername. I copied the Desktop folder over to see if it worked but then decided to do the rest of the copy procedure later, as the files were pretty big and I needed to use the laptop in the meantime.
Back home I entered the very same key again, but it would tell me the key didn't match the disk: decryption wouldn't work. I contacted the IT team saying BitLocker wouldn't let me recover my data and they said it was due to the "Key-ID" having changed; the day after they sent me a new key-ID (which was, in fact, showed in the recovery key prompt) with a new recovery key, so I was able to successfully restore my data.
Once I was done, I also wanted to completely decrypt the BitLocker disk and make an image of it, then securely erase the disk.
The problem
Now, since managing BitLocker is - rightly - blocked due to corporate policy on the laptop, also impacting external disks though, I decided to connect the drive to my private Windows 10 desktop PC, which immediately recognized the disk, but showed a different key ID: I hadn't changed it. I tried to enter my recovery key regardless but no dice, the ID was different, and so was the required key. My desktop also has a TPM, but it's never been used with BitLocker, nor have I have used BL on it in any way or form ever. What's strange is that even after reconnecting the drive to the laptop again, the key ID remained the same as on my desktop.
I know both the original key ID and the key to it.
I also have both user access to the laptop which changed the key ID to its own (or so I guess?) and administrative access the PC which changed the key ID to the one I don't have a key for.
How can I find a way to decrypt the disk? Or is it lost forever? And why did this happen?
TL;DR
I inserted a BitLocker-encrypted disk I had a recovery key for into my non-BitLocker desktop, and it changed the Key ID rendering the drive unreadable.
windows-10 encryption data-recovery bitlocker disk-encryption
windows-10 encryption data-recovery bitlocker disk-encryption
asked Jan 28 at 20:11
ManchineelManchineel
285112
asked Jan 28 at 20:11
ManchineelManchineel
285112
asked Jan 28 at 20:11
ManchineelManchineel
285112
asked Jan 28 at 20:11
ManchineelManchineel
285112
asked Jan 28 at 20:11
ManchineelManchineel
285112
285112
This is a security mechanic of BitLocker. You will have to get a recovery key, associated with the new ID, in order to accomplish what you want. Your knowledge of the original key ID is not helpful in a case like this.
– Ramhound
Jan 28 at 22:44
@Ramhound I am the owner of my desktop PC and have never set up any BitLocker encryption on it, how can it have a recovery key associated with? I didn't manually re-encrypt the drive
– Manchineel
Jan 28 at 22:50
The drive was encrypted with BitLocker, it has an recovery key if it has an identification code, managed by your IT department. The ID changes are a security feature of BitLocker, to avoid malicious users, from connecting your drive to their machine. Without the recovery code what you want is impossible. Your machine having a TPM isn’t the cause here.
– Ramhound
Jan 28 at 22:52
@Ramhound The corporate IT team has zero access to my own desktop PC. Maybe my post wasn't worded perfectly, but what I did was connect the hard drive (that previously worked with the AD laptop) to a my private desktop PC, and as soon as I did, my own private PC changed the key ID. You're telling me ANY Windows 10 computer automatically annihilates any foreign BitLocker disk it meets? This doesn't make much sense to me. The key wasn't changed by the company: a hard disk cannot connect to the internet and update key IDs or stuff.
– Manchineel
Jan 28 at 23:04
You said when you first connected the drive it was ID A when you connected it the second time it was ID B and when you connected it a third time it was ID C the drive was originally managed by a domain. By design the recovery key is managed by the domain, which is how IT, was able to give you the recovery key the second time. You will have to hook it backup to the domain, get the recovery key, and turn off BitLocker at that point to accomplish what you want. Without the recovery key you will be unable to turn off BitLocker. More then willing to submit an answer indicating this.
– Ramhound
Jan 28 at 23:09
|
show 2 more comments
This is a security mechanic of BitLocker. You will have to get a recovery key, associated with the new ID, in order to accomplish what you want. Your knowledge of the original key ID is not helpful in a case like this.
– Ramhound
Jan 28 at 22:44
@Ramhound I am the owner of my desktop PC and have never set up any BitLocker encryption on it, how can it have a recovery key associated with? I didn't manually re-encrypt the drive
– Manchineel
Jan 28 at 22:50
The drive was encrypted with BitLocker, it has an recovery key if it has an identification code, managed by your IT department. The ID changes are a security feature of BitLocker, to avoid malicious users, from connecting your drive to their machine. Without the recovery code what you want is impossible. Your machine having a TPM isn’t the cause here.
– Ramhound
Jan 28 at 22:52
@Ramhound The corporate IT team has zero access to my own desktop PC. Maybe my post wasn't worded perfectly, but what I did was connect the hard drive (that previously worked with the AD laptop) to a my private desktop PC, and as soon as I did, my own private PC changed the key ID. You're telling me ANY Windows 10 computer automatically annihilates any foreign BitLocker disk it meets? This doesn't make much sense to me. The key wasn't changed by the company: a hard disk cannot connect to the internet and update key IDs or stuff.
– Manchineel
Jan 28 at 23:04
You said when you first connected the drive it was ID A when you connected it the second time it was ID B and when you connected it a third time it was ID C the drive was originally managed by a domain. By design the recovery key is managed by the domain, which is how IT, was able to give you the recovery key the second time. You will have to hook it backup to the domain, get the recovery key, and turn off BitLocker at that point to accomplish what you want. Without the recovery key you will be unable to turn off BitLocker. More then willing to submit an answer indicating this.
– Ramhound
Jan 28 at 23:09
This is a security mechanic of BitLocker. You will have to get a recovery key, associated with the new ID, in order to accomplish what you want. Your knowledge of the original key ID is not helpful in a case like this.
– Ramhound
Jan 28 at 22:44
This is a security mechanic of BitLocker. You will have to get a recovery key, associated with the new ID, in order to accomplish what you want. Your knowledge of the original key ID is not helpful in a case like this.
– Ramhound
Jan 28 at 22:44
@Ramhound I am the owner of my desktop PC and have never set up any BitLocker encryption on it, how can it have a recovery key associated with? I didn't manually re-encrypt the drive
– Manchineel
Jan 28 at 22:50
@Ramhound I am the owner of my desktop PC and have never set up any BitLocker encryption on it, how can it have a recovery key associated with? I didn't manually re-encrypt the drive
– Manchineel
Jan 28 at 22:50
The drive was encrypted with BitLocker, it has an recovery key if it has an identification code, managed by your IT department. The ID changes are a security feature of BitLocker, to avoid malicious users, from connecting your drive to their machine. Without the recovery code what you want is impossible. Your machine having a TPM isn’t the cause here.
– Ramhound
Jan 28 at 22:52
The drive was encrypted with BitLocker, it has an recovery key if it has an identification code, managed by your IT department. The ID changes are a security feature of BitLocker, to avoid malicious users, from connecting your drive to their machine. Without the recovery code what you want is impossible. Your machine having a TPM isn’t the cause here.
– Ramhound
Jan 28 at 22:52
@Ramhound The corporate IT team has zero access to my own desktop PC. Maybe my post wasn't worded perfectly, but what I did was connect the hard drive (that previously worked with the AD laptop) to a my private desktop PC, and as soon as I did, my own private PC changed the key ID. You're telling me ANY Windows 10 computer automatically annihilates any foreign BitLocker disk it meets? This doesn't make much sense to me. The key wasn't changed by the company: a hard disk cannot connect to the internet and update key IDs or stuff.
– Manchineel
Jan 28 at 23:04
@Ramhound The corporate IT team has zero access to my own desktop PC. Maybe my post wasn't worded perfectly, but what I did was connect the hard drive (that previously worked with the AD laptop) to a my private desktop PC, and as soon as I did, my own private PC changed the key ID. You're telling me ANY Windows 10 computer automatically annihilates any foreign BitLocker disk it meets? This doesn't make much sense to me. The key wasn't changed by the company: a hard disk cannot connect to the internet and update key IDs or stuff.
– Manchineel
Jan 28 at 23:04
You said when you first connected the drive it was ID A when you connected it the second time it was ID B and when you connected it a third time it was ID C the drive was originally managed by a domain. By design the recovery key is managed by the domain, which is how IT, was able to give you the recovery key the second time. You will have to hook it backup to the domain, get the recovery key, and turn off BitLocker at that point to accomplish what you want. Without the recovery key you will be unable to turn off BitLocker. More then willing to submit an answer indicating this.
– Ramhound
Jan 28 at 23:09
You said when you first connected the drive it was ID A when you connected it the second time it was ID B and when you connected it a third time it was ID C the drive was originally managed by a domain. By design the recovery key is managed by the domain, which is how IT, was able to give you the recovery key the second time. You will have to hook it backup to the domain, get the recovery key, and turn off BitLocker at that point to accomplish what you want. Without the recovery key you will be unable to turn off BitLocker. More then willing to submit an answer indicating this.
– Ramhound
Jan 28 at 23:09
|
show 2 more comments
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399403%2fexternal-hdd-bitlocker-key-id-changed-for-no-apparent-reason%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399403%2fexternal-hdd-bitlocker-key-id-changed-for-no-apparent-reason%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
This is a security mechanic of BitLocker. You will have to get a recovery key, associated with the new ID, in order to accomplish what you want. Your knowledge of the original key ID is not helpful in a case like this.
– Ramhound
Jan 28 at 22:44
@Ramhound I am the owner of my desktop PC and have never set up any BitLocker encryption on it, how can it have a recovery key associated with? I didn't manually re-encrypt the drive
– Manchineel
Jan 28 at 22:50
The drive was encrypted with BitLocker, it has an recovery key if it has an identification code, managed by your IT department. The ID changes are a security feature of BitLocker, to avoid malicious users, from connecting your drive to their machine. Without the recovery code what you want is impossible. Your machine having a TPM isn’t the cause here.
– Ramhound
Jan 28 at 22:52
@Ramhound The corporate IT team has zero access to my own desktop PC. Maybe my post wasn't worded perfectly, but what I did was connect the hard drive (that previously worked with the AD laptop) to a my private desktop PC, and as soon as I did, my own private PC changed the key ID. You're telling me ANY Windows 10 computer automatically annihilates any foreign BitLocker disk it meets? This doesn't make much sense to me. The key wasn't changed by the company: a hard disk cannot connect to the internet and update key IDs or stuff.
– Manchineel
Jan 28 at 23:04
You said when you first connected the drive it was ID A when you connected it the second time it was ID B and when you connected it a third time it was ID C the drive was originally managed by a domain. By design the recovery key is managed by the domain, which is how IT, was able to give you the recovery key the second time. You will have to hook it backup to the domain, get the recovery key, and turn off BitLocker at that point to accomplish what you want. Without the recovery key you will be unable to turn off BitLocker. More then willing to submit an answer indicating this.
– Ramhound
Jan 28 at 23:09