Solved Avoiding BitLocker

Again, this is all part of what should be routine testing.

Click to expand...

Indeed. An untested backup strategy is no backup at all. If not for NDAs, I could tell some stories.

hsehestedt said:

Life would also be easier if I didn't bother with locking my house or vehicle doors. It would be easier if I didn't have to follow laws and regulations. It would be easier if didn't have to pay taxes. There are a lot of things that would be "easier" but the easy is often the fools why to avoid a situation. I will not compromise by leaving my data unprotected. I have my entire life on my computer - credit card and bank info, images of all my important documents, all my software and digital assets are on my computer. Basically, my whole life .

Don't even try to bring up potential vulnerabilities. Even a locked car or home can be broken into, but I'm not going to make it easier for a thief by simply opening the door for them. Likewise, I will protect my data as best as I am able to.

If you do your research and approach BitLocker with a little bit of knowledge you can use it safely and easily. As I noted I have been using it for well over a decade on every single machine that I own and have NEVER had even the slightest inkling of a problem with it.

So, yes, life might be easier without BitLocker, but don't confuse easy with smart or prudent.

Click to expand...

Well said. I too have used BitLocker for well over a decade on all my computers and on all my backup SSDs.

john1955 said:

All my important "documents" that my kids will need when I pass away amount to 8MB so I only encrypt a single 50MB container. Some stuff is still in paper originals. Most of it is just instructions of where things are.

What they really need, I dont have . . . a death certificate

Click to expand...

For the same reason I make complete image backups of my entire system, I encrypt that entire system. That way I know that I get everything.

john1955 said:

All my important "documents" that my kids will need when I pass away amount to 8MB so I only encrypt a single 50MB container.

Click to expand...

You are lucky!

I have gone round and round trying to figure out the best way to manage things. It's just that I have so many different and varied things that I want to protect. For example, I have every piece of software that I own both purchased and unpurchased. For every software product I have a readme that includes details like licensing, logon info, purchase details, etc. I used to have all of this in one master document, but I found it way easier to have that info right with the product itself. But that means a few dozen different readme files that I need to protect.

Then I have all my financial info, correspondence (including e-mail) with persons and companies, and much more. I do have an extremely efficient organizational structure to all my data, but my system requires documents in many different places in my directory structure that need to be protected. So, with my system at least, it's just so much easier to encrypt the whole drive.

I have given a lot of thought to alternative methods of protecting my data, but my method works for me. I can find anything, no matter how old or obscure in mere seconds with my methods so I hate to upset the whole apple cart at this point.

But I realize that I am in the minority. Most people simply have no need (or desire) to go to some of the extremes I do. But you have to understand where I get this from. I did Technical Support for MANY years and saw some frightening things during that time. I saw a major bank lose millions of dollars because their backup scheme was not properly tested. I saw a customer's life in disarray after a stolen laptop was compromised and personal data retrieved. So, maybe I'm a little more paranoid about protecting my data than some may be.

hsehestedt said:

Life would also be easier if I didn't bother with locking my house or vehicle doors.

Click to expand...

Totally different and no basis for comparison whatsoever. Your above personal items are of paramount importance and expense, and require a commensurate level of security

On the other hand, home/personal users of Bitlocker, more than often, are simply using it because
- Windows/Microsoft turned it on, or prompted for it to be used
- it's trendy to be able to claim an inconsequential collection of files is protected because the user has Bitlocker turned on
- a misguided belief that files are protected from change or deletion if Bitlocker is activated, albeit not turned on
- and in cases where valuable data does need protecting, that data probably shouldn't be stored on devices anyway (e.g. financial access)

The greatest problem with Bitlocker is the mis-use and/or lack of understanding how it should be used, and when/where it should be used ... and if it's really necessary at all!!! Bitlocker in the hands of the inappropriate user is the stuff for which these forums exist (if BitLocker and OneDrive weren't used, and Microsoft dropped its Heinz57 policy for o/Outlook, half forums like these wouldn't be required)

@idgat You just nailed it. The vast majority of PC users are totally clueless what they're doing.

idgat said:

Totally different and no basis for comparison whatsoever. Your above personal items are of paramount importance and expense, and require a commensurate level of security

Click to expand...

True. What works for one person doesn't work for another. We're all different with different priorities.

idgat said:

On the other hand, home/personal users of Bitlocker, more than often, are simply using it because
- Windows/Microsoft turned it on, or prompted for it to be used
- it's trendy to be able to claim an inconsequential collection of files is protected because the user has Bitlocker turned on
- a misguided belief that files are protected from change or deletion if Bitlocker is activated, albeit not turned on
- and in cases where valuable data does need protecting, that data probably shouldn't be stored on devices anyway (e.g. financial access)

Click to expand...

Yup, that's just it. I've heard too many horror stories about lost keys, or having a brand new machine suddenly brick up on you without ever giving you a key in the first place.

I don't speak from ignorance. I know fully well what Bitlocker does. My data (and I'm only speaking about my data) is better off without it, imo...

idgat said:

The greatest problem with Bitlocker is the mis-use and/or lack of understanding how it should be used, and when/where it should be used ... and if it's really necessary at all!!! Bitlocker in the hands of the inappropriate user is the stuff for which these forums exist (if BitLocker and OneDrive weren't used, and Microsoft dropped its Heinz57 policy for o/Outlook, half forums like these wouldn't be required)

Click to expand...

Yeah well like Co-Pilot, Recall, etc... it all should be optional, in the first place. If people out there aren't getting it then as far as I'm concerned, it's defective by design by Microsoft. I fully blame them for it and not making people aware of the consequences of using it.

Use iDefender to always stay safe and feel at ease.

john1955 said:

VeraCrypt

Click to expand...

Veracrypt only got some marginal popularity as it was available on home whereas bitlocker needed Pro However most modern Home devices now support Device Encryption which is a cut down version of bitlocker, and there is less justification for using it.

Frankly I do not trust a 3rd party app. How can one be certain that when Windows is changed, Veracrpyt will not fall over?

I have never heard of bitlocker failing (except user error/knowledge! related issues).

Bitlocker is used by just about every major corporation in the world. It is robust and reliable.

cereberus said:

Frankly I do not trust a 3rd party app. How can one be certain that when Windows is changed, Veracrpyt will not fall over?

Click to expand...

It's not dependent on the operating system. You can run it from a USB so it should always work even if Windows crashes so just keep copies of the encrypted data on more than one drive . . . plus it works in Linux and macOS. I read it generally does not support full system drive encryption on Linux but I don't see the point of encrypting an entire system unless your doing top secret stuff

AI says . . . BitLocker can fail, usually resulting in a locked system that requires a 48-digit recovery key to regain access. Common causes for failure include BIOS/UEFI updates, hardware changes, TPM malfunctions, or improper shutdowns. Without the recovery key or backup, data may be permanently inaccessible.

So it's just like everything else, failures happen and hopefully there a backup plan and never lose the key.

My mantra is keep it simple, if your smart and can rebuild your system it wont matter what you use, if you don't know anything bout your computer that's a different problem . . . most people have no clue about how to keeps data secure. They don't even know how to do their taxes or how to avoid malicious emails and even the biggest corporations get hacked including the IRS because PEOPLE work there and that's the weak link

I guess BitLocker To Go is as good as Veracrypt, Ive just never looked at it to see if I like it as Ive use either TrueCrypt or VeraCrypt for so long. PGP was just too complicated but it was around for ever it seems. There are more options Ive never looked at as well like AxCrypt(?)

The best one is the one you're using and are comfortable with

If and when you ever cause a secure boot error your old Bitlocker key becomes invalid and a new one is generated, If you have a Microsoft logon ID and online account you can access the new key there. I've caused that errror twice restoring from a USB.

Asus272 said:

If and when you ever cause a secure boot error your old Bitlocker key becomes invalid and a new one is generated

Click to expand...

This is factually incorrect. The BitLocker key does not simply change. Imagine if you will an even more serious case with complete failure of your MB or CPU and you had to take your drive to a completely different system. Would BitLocker keys change? No. Likewise, no matter what you do with or to Secure Boot, the BitLocker key will NOT change.

EDIT: Just to stress this even further - BitLocker keys will NEVER change on their own unless YOU change it by decrypting / re-encrypting the drive or some other explicit action on your part.

hsehestedt said:

All I can say is that you didn't properly create your boot disk then. What you need is the manage-bde BitLocker command line utility. Easy!


Very true BUT you can always open a command prompt and run the manage-bde command line utility (assuming that manage-bde was copied to your recovery media).

I have been using BitLocker for well over a decade and I will sometimes purposely break a system to make sure that all my recovery procedures (including recovering a BitLocker drive) work.

Click to expand...

How can the manage-bde command line utility be copied to the recovery media? Doesn't the Windows Recovery Drive already do it on its own?

Also if we are backing up only User data and not the system image then how does it work?

Transcendence72 said:

How can the manage-bde command line utility be copied to the recovery media? Doesn't the Windows Recovery Drive already do it on its own?

Also if we are backing up only User data and not the system image then how does it work?

Click to expand...

There are a number of ways to do this, but the easiest way is to simply boot from a Windows installation disk. At the first static screen where Windows Setup pauses to start gathering information from you, press SHIFT + F10 to open a command prompt. That's it! You can now run the manage-bde command from there.

As far as backing up only user data and not creating a system image, I'm not sure that I understand what you are asking. Once you unlock a BitLocker drive, you can whatever you want with that drive including creating a disk image or accessing any data on that drive including for the purpose of backing up that data.

If I have misunderstood y9our concern, please do let me know.

So I assumed that the OP had taken an image of the entire disk and put it in an external drive. He had not copied individually or via a batch script files under C:\Users into the encrypted BitLocker external drive.

ASUS-STR
IX-G615
C9D04FDA
598246-116600-398860-407583-235642-518276-095821-643467
OSV
1/3/2026 1:20:11 PM

ASUS-ROG-STRIX
F1A9FCE8
528044-308440-405086-582978-037103-104038-058487-475783
OSV
2/16/2026 2:12:35 PM

Orginal key and new recovery key generated when I caused an error by booting from a USB with Minitool Shadowmaker backup and recovery software.
Note: Neither key is valid now because I have removed Bitlocker on my laptop and 2 Intel Nucs.

Asus272 said:

Orginal key and new recovery key generated when I caused an error by booting from a USB with Minitool Shadowmaker backup and recovery software.

Click to expand...

If that is indeed the only thing that was done, then that Shadowmaker program changed the key on you. Windows will NEVER just change it on its own.

idgat said:

Uh oh ...... ??

Which "the company"???

Click to expand...

The company is iDrive.

I’ve never had to install a backup from iDrive. But a few weeks ago I decided since I didn’t have an emergency and so could take my time. But I got frustrated with the problems, even with their engineers helping me. I never did get the backup installed. I became so frustrated that I deleted the backup, erased the iDrive software, and cancelled my account. I wouldn’t use iDrive again if I was paid.

john1955 said:

It's not dependent on the operating system. You can run it from a USB so it should always work even if Windows crashes so just keep copies of the encrypted data on more than one drive . . . plus it works in Linux and macOS. I read it generally does not support full system drive encryption on Linux but I don't see the point of encrypting an entire system unless your doing top secret stuff

AI says . . . BitLocker can fail, usually resulting in a locked system that requires a 48-digit recovery key to regain access. Common causes for failure include BIOS/UEFI updates, hardware changes, TPM malfunctions, or improper shutdowns. Without the recovery key or backup, data may be permanently inaccessible.

So it's just like everything else, failures happen and hopefully there a backup plan and never lose the key.

My mantra is keep it simple, if your smart and can rebuild your system it wont matter what you use, if you don't know anything bout your computer that's a different problem . . . most people have no clue about how to keeps data secure. They don't even know how to do their taxes or how to avoid malicious emails and even the biggest corporations get hacked including the IRS because PEOPLE work there and that's the weak link

I guess BitLocker To Go is as good as Veracrypt, Ive just never looked at it to see if I like it as Ive use either TrueCrypt or VeraCrypt for so long. PGP was just too complicated but it was around for ever it seems. There are more options Ive never looked at as well like AxCrypt(?)

The best one is the one you're using and are comfortable with

Click to expand...

Well anybody using any encryption scheme should backup the encryption keys of course.

I backup bitlocker keys to onedrive, MS account, and an often forgottwn media called paper.

Once I recovered a locked system for a relative who never used MS accounts or onedrive but had remarkably printed the key as a precaution lol.

I still maintain I trust bitlocker as it is used literally tens or event hundreds of millions of times every day by just about every major corporation in the world.

I use BitLocker religiously and wouldn't have it any other way!

All my PCs and USB drives are BitLocker-encrypted; the only exception is a thumb drive that is exclusively used to transfer files to/from other people.

When I encrypt a volume, I save the keys to my MS Account, but I find that interface to be a mess--to say the least! Regardless, I keep my own organized copies of keys locally on my USB, on my NAS, and in the cloud.

I use Macrium as well and, yes, when it comes to restores, I boot into the Macrium environment, open the command prompt, then use manage-bde to unlock my backup drive. More often than not, I'm going to do a BitLocker-level restore (i.e., restore my system with BitLocker intact and unchanged), so I also use manage-bde to unlock my system volumes and then I do the restore.

Even before I switched to Macrium and in the very early days of Macrium, I would use the functionality to add my custom features (i.e., BitLocker) to the boot/rescue environment. To this very day, whenever there is a Macrium update--regardless of how insignificant it may be--I rebuild all my boot disks and I validate that each and every one of them can boot and unlock my system and backup drives. Painstaking, yes, but I have peace of mind.

And the security is not just about theft: On a number of occasions, I've had to return my laptops that were under warranty for a replacement, but the laptops were bricked and would not power on; therefore, I was unable to wipe them before shipping them back to the manufacturer. But, hey, they were BitLocker-encrypted, so peace of mind!