I have a Server Core 2012 that has two BitLocker encrypted disks on it. When I encrypted those disks the server had the full GUI but after I converted to Core there’s obviously no GUI to just double click and be prompted for a password etc. So need to use the command line tools.
There seems to be two ways.
First are the BitLocker command line tools. Manage-bde
looks like the most useful command here. Using this one can see the status of all the drives on the machine, lock, unlock, set auto-lock auto-unlock, and also turn on or off BitLocker encryption on a drive.
Typing manage-bde
in the command prompt gives you all the options. Each of these options have further switches which you can discover by typing manage-bde <option-name> -?
.
To view the status of all drives on the machine:
1 |
C:\> manage-bde -status |
To unlock an encrypted drive (with drive letter D:) to use with the system:
1 |
C:\> manage-bde -unlock D: -pw |
I use passwords, hence the -pw
switch. If you use recovery keys or certificates there are switches for that too. manage-bde
prompts for a password and unlocks the drive, mounting it on the specified drive letter.
To set the drive (with drive letter D:) as auto-unlocked:
1 |
C:\> manage-bde -autounlock -enable D: |
That’s all. From now on the drive will be automatically unlocked when attached to the system.
The syntax for disabling auto-unlock and locking a drive are pretty obvious from the examples above. The thing to remember is you always specify the manage-bde
command followed by a dash switch specifying what you want to do, and after that you specify the drive letter.
There are two other commands: Repair-Bde
for repairing corrupted BitLocker encrypted drives and BdeHdCfg
for setting up a drive with BitLocker encryption (though it doesn’t seem to be required any more as Manage-Bde
includes some of this functionality).
Apart from the BitLocker command line tools you can also manage BitLocker via PowerShell. This is only for Windows 8/ Windows Server 2012 and is available via the BitLocker
module (requires RSAT on Windows 8).
To view the available drives on a system and their BitLocker status do:
1 |
PS> Get-BitLockerVolume |
You can also check the status of a specific drive with the above cmdlet by passing it the drive letter with the -MountPath
switch.
To unlock a BitLocker drive (with letter D:) do:
1 |
PS> Unlock-BitLocker -MountPoint D: -Password (Read-Host "Enter password" -AsSecureString) |
The cmdlet does not prompt for a password. You have to pass it via the -Password
switch. You can’t pass the password as plain text either, so have to convert it to a secure string. Use the ConvertTo-SecureString
cmdlet for that or just use Read-Host
and convert the inputted text to secure string on the fly.
To set auto-unlock on a drive (with letter D:) do:
1 |
PS> Enable-BitLockerAutoUnlock -MountPoint D: |
Similar cmdlets exist for locking and auto-locking drives.
After writing this post I discovered a TechNet article that goes into more detail on the above command line tools and cmdlets. Go check it out.