Repair-bde

Applies To: Windows 7, Windows Server 2008 R2

Accesses encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer for Active Directory to obtain this key package from AD DS.

The following limitations exist for the Repair-bde command-line tool:

  • Repair-bde cannot repair a drive that failed during the encryption or decryption process.

  • Repair-bde assumes that if the drive has any encryption, then the drive has been fully encrypted.

  • The Windows 7 installation of Repair-bde is unable to perform repairs involving key packages obtained from Windows Vista, although the Windows 7 installation of Repair-bde is able to repair drives provisioned with BitLocker in Windows Vista.

For examples of how this command can be used, see Examples.

Syntax

repair-bde <InputVolume> <OutputVolumeorImage> [-rk] [–rp] [–kp] [–lf] [-f] [{-?|/?}]

Parameters

Parameter Description

<InputVolume>

Identifies the drive letter of the BitLocker-encrypted drive that you want to repair. The drive letter must include a colon; for example: C:.

<OutputVolumeorImage>

Identifies the drive on which to store the content of the repaired drive. All information on the output drive will be overwritten.

-rk

Identifies the location of the recovery key that should be used to decrypt the drive. This command may also be specified as -recoverykey.

-rp

Identifies the recovery password that should be used to decrypt the drive. This command may also be specified as -recoverypassword.

-kp

Identifies the recovery key package that can be used to decrypt the drive. This command may also be specified as -keypackage.

-lf

Specifies the path to the file that will store Repair-bde error, warning, and information messages. This command may also be specified as -logfile.

-f

Forces a volume to be dismounted even if it cannot be locked. This command may also be specified as -force.

-? or /?

Displays Help at the command prompt.

Remarks

When using the repair-bde command, you must be able to specify either a recovery key or a recovery password that can decrypt the drive. For more information, see Scenario 16: Using the BitLocker Repair Tool to Recover a Drive.

If the path to a key package is not specified, repair-bde will search the drive for a key package. However, if the hard drive has been damaged, repair-bde may not be able to find the package and will prompt you to provide the path.

Examples

The following example attempts to repair drive C and write the content from drive C to drive D by using the recovery key file (RecoveryKey.bek) stored on drive F and writes the results of this attempt to the log file (log.txt) on drive Z.

repair-bde C: D: -rk F:\RecoveryKey.bek –lf Z:\log.txt

The following example attempts to repair drive C and write the content on drive C to drive D by using the 48-digit recovery password specified. The recovery password should be typed in eight blocks of six digits with a hyphen separating each block.

repair-bde C: D: -rp 111111-222222-333333-444444-555555-666666-777777-888888

The following example forces drive C to be dismounted and then attempts to repair drive C and write the content on drive C to drive D by using the recovery key package and recovery key file (RecoveryKey.bek) stored on drive F.

repair-bde C: D: -kp F:\RecoveryKeyPackage -rk F:\RecoveryKey.bek -f

Additional references