Macrium Recovery Media / BitLocker 'Save to USB Flash' (bkf) option is missing

Hi All,


First time using bitlocker and TPM (forced on me by work ).
I have 2 Questions for you guys.
Macrium = v8.1.8017

Q1: 'Save to USB Flash' (bkf) option is missing

I am having the same problem as described here:


when trying to export the bitlocker key for use in Macrium, there is no option to "Save to a USB flash drive"
The only options are save to text file, asure or print.

I also read the information at:


but there seems no way to export the file into a format that Macrium can use.

Is there a way to export this via PowerShell or some way to enable it in Windows 11?
OR is there another format that can be used by Macrium?

I also just spun up a new vm of W11 PRO 23h2 as a test and even in the vm the "save to USB" option is missing so is this no longer an option for Macrium?
If that is the case then why is auto unlock still an option in RMBuilder?





Q2: Mounting a bitlocker image

Even without the "auto unlock" working from Q1, I went ahead and did a backup anyway using the recovery media and all worked as expected, however my question relates to when I try to map the image via the image browser. There does not seem to be a way to look at my data in the image since I have never prompted for the Bitlocker Recovery key. I get an error message Drive XX is not formatted.







Is this not an option when you are dealing with encrypted drive images and wanting to mount the image on a 2nd computer to browse for a few files to restore - is a full disk restore the only option here to get at the files?



Thanks

First, when creating your Macrium Reflect recovery media, note that the advanced options have an option to save your BitLocker recovery key to the rescue media so that Macrium can automatically unlock your drive. It can also preserve BitLocker when restoring an image if you select this option. Just be sure to save the recovery disk to a safe place because the BitLocker key can easily be retrieved from the recovery disk if it is stolen.




As for saving the key from your local system, I'm not sure why you can't save it to a USB Flash Drive (UFD), but here is an easy workaraound:

1) When saving the key, choose the option to print the key.
2) Use the "Microsoft Print to PDF" printer.

This will allow you to save the PDF anywhere. including your local desktop, a thumbdrive, etc. I mention your local desktop because BitLocker won't let you save the key there normally unless you print the key. The thinking is that saving the key to the very drive that you plan to encrypt is worthless since you won't be able to get to the desktop if you cannot unlock the drive.

Again, just make sure to save the key someplace safe that you can get to if needed.

TIP: I have a label on the underside of my laptop with an encrypted version of my key. This way it is always accessible to me but doesn't help anyone else who sees it.

Example: Suppose that I have a part of my key of 12345. In my head I have a code to encrypt this and that code is 56789. I add the numbers, like this:

12345
56789
=====
68024

So, 68024 is the number I put on the label. I can easily reverse the process in my head by subtracting like this:

68024
56789
=====
12345

NOTE: When adding numbers, if the result is 10 or higher, simply drop the first digit. When subtracting, after 0, wrap back to 9, 8, 7, etc.

I wrote a small program for myself that automates all of this and creates a text document that save this information. If interested, let me know and I'll provide a copy.

Hey @hsehestedt ,

I should mention that the recovery of media was built on a different (non-bitlocker) machine and Macrium is not installed on the laptop at this time since it is a corporate machine and I plan to do cold backups until I/T can grant me rights to install it. For now I just wanted to be able to have some sort of a backup since I'm working remotely it would be difficult to re-image the box and I can just restore my own local backups as long as I can get all of this work reliably, but as I said Bitlocker is new to me so I'm having to learn as I go.

First, when creating your Macrium Reflect recovery media, note that the advanced options have an option to save your BitLocker recovery key to the rescue media so that Macrium can automatically unlock your drive.

Click to expand...

I think what you are trying to say is that when you create media on a machine that has bitlocker and Macrium already installed that Macrium automatically injects the the recovery key onto the recovery media when those options are checked - Is that correct?

When I created the media on the second machine I did enable those two because I knew the target machine would be dealing with Bitlocker drives however not having used it before in this context I wasn't sure how bitlocker and Macrium work together and what the happy path for this process looks like.

I've searched youtube to see if I could find any videos that talk about backups that involve bitlocker with Macrium for a relevent example but came up empty.

Here are the settings I chose when making my backup media on the 2nd (non-bitlocker) machine:




As for exporting the key, I was able to save the text file and the PDF to the USB key with no issues so I had already figured out what you mentioned. For now I have a copy of the file on my cell phone so I have a recovery method that is not on the local machine. However if you've written something that does obfuscation then I wouldn't mind taking a look at it and maybe incorporating it into my workflow so thanks for the offer.

So the only thing I haven't figured out is how to export the key as a bkf per the Macrium kb article.
Since the save to USB doesn't work in a brand new vm I'm guessing that's either something that is deprecated but not updated in the kb article or there is something else you have to do in windows to enable that feature???


Also did you have any advice on trying to mount/read Individual files from the second machine on the Bitlocker Volume? Is that even possible when dealing with bitlocker or do you have to restore the whole drive just to get at a couple of files?



Thanks

My BitLocker key is stored in 3 places.
1. My Microsoft Account.
2. My Password Manager in a Secure Note.
3. My OneDrive Personal Vault.

RickyMoose said:

First time using bitlocker and TPM (forced on me by work ).

Click to expand...

Is this a company owned computer? If so this explains a lot.

Below is a part of my actual saved file with all my keys in scrambled form. Because it is encrypted, I am perfectly safe posting the actual file here. My program also generates a second file that is identical but adds the actual real key. So, this means that the one file I can safely keep tacked to my wall where anyone can see but the other needs to be keep in a safe place.

I use BitLocker a lot (as you can see), so I had to make sure that I had a plan to safely keep all my keys. For some reason, it's simply my preference to have local control of this kind of information.

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 11:54:40
Comment: PyroPlex (MiniPC-AD03) OS Drive
Drive Identifier: 1F74D90C-1169-4DF2-94C6-AB8ADF928B1B
Scrambled Key: 379189-594489-723984-273762-459005-324912-750448-237737
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 12:21:18
Comment: ThinkBook Laptop
Drive Identifier: A0AB96F6-A00D-47F2-B966-7C425D068A35
Scrambled Key: 776454-432624-252666-424969-214475-144381-530998-100919
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 23:45:50
Comment: PyroNas (MiniPC-S1) OS Drive
Drive Identifier: 85646D0B-CBA8-4E6B-B52E-D7745535BA99
Scrambled Key: 360246-488316-397482-033775-151664-243920-480409-299458
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-29-2024 at 13:01:14
Comment: MiniPC-CK10
Drive Identifier: CA558D3C-AF7F-4AAB-A047-4618D97F66B9
Scrambled Key: 456684-005307-651054-483049-274358-299690-755994-072924
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-29-2024 at 17:08:47
Comment: MiniPC-AD08
Drive Identifier: 2134E914-D6F5-4302-AA36-F90A49A39E69
Scrambled Key: 288934-237881-148970-019059-493853-082603-662593-063309
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-04-2024 at 12:59:44
Comment: ASUS OS Drive
Drive Identifier: 205ED3F1-4C8B-499F-986E-835235C3ABF5
Scrambled Key: 670039-205507-797761-699100-700916-509944-337422-314892
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-04-2024 at 13:01:21
Comment: Spectre13 Laptop
Drive Identifier: B1AD1F7E-B1F8-467D-A7B2-35EEAF814EAC
Scrambled Key: 272796-452897-197162-440984-377527-251839-528909-015109
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-05-2024 at 00:13:25
Comment: CHUWI Tablet
Drive Identifier: E9E1F16B-5895-42C8-86B9-356CE6B63A6D
Scrambled Key: 139147-333107-821421-036350-676266-211513-207886-428138
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-07-2024 at 11:51:40
Comment: ASUS-Micro Laptop
Drive Identifier: 8E64AABA-E978-4C7B-9FC3-063D3B261359
Scrambled Key: 566750-161308-461490-135216-548490-487053-788905-521990
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 05-09-2024 at 21:50:22
Comment: Godzilla OS Drive
Drive Identifier: D8E384A7-D970-4C4B-A1CB-05F7553F28E5
Scrambled Key: 431922-243875-828210-683798-604701-442645-230566-420393
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 05-09-2024 at 23:54:41
Comment: MiniPC-AD15
Drive Identifier: 93CA0E59-358C-4DCD-A5AC-219DD7160FB1
Scrambled Key: 111460-463030-535048-280725-543825-205937-751559-335550
---------------------------------------------------------------------------

On my other file, the information is identical but there are two added lines like this (I'm chaging the real key and my crypto key for the encryption to all ones):

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 11:54:40
Comment: PyroPlex (MiniPC-AD03) OS Drive
Drive Identifier: 1F74D90C-1169-4DF2-94C6-AB8ADF928B1B
Original Key: 11111-11111-11111-11111-11111-11111-11111-11111
Scrambled Key: 379189-594489-723984-273762-459005-324912-750448-237737
Crypto Key: 11111111
---------------------------------------------------------------------------

I have a separate program that interrogates each machine that is powered on over the network and retrieves the keys for me, but now I need to add that to my other program so that it can automatically save all keys for me.

@hsehestedt, do you use BitLocker on your portable backup drives? I like doing that and it's really cool that my BitLocker Samsung portable SSD drives utilize TPM to transparently unlock when attached to my BitLocker main computer. I have two 4TB Samsung T9 SSD drives for my Macrium Image backups protected with BitLocker.

RickyMoose said:

Hey @hsehestedt ,

I should mention that the recovery of media was built on a different (non-bitlocker) machine and Macrium is not installed on the laptop at this time since it is a corporate machine and I plan to do cold backups until I/T can grant me rights to install it. For now I just wanted to be able to have some sort of a backup since I'm working remotely it would be difficult to re-image the box and I can just restore my own local backups as long as I can get all of this work reliably, but as I said Bitlocker is new to me so I'm having to learn as I go.



I think what you are trying to say is that when you create media on a machine that has bitlocker and Macrium already installed that Macrium automatically injects the the recovery key onto the recovery media when those options are checked - Is that correct?

When I created the media on the second machine I did enable those two because I knew the target machine would be dealing with Bitlocker drives however not having used it before in this context I wasn't sure how bitlocker and Macrium work together and what the happy path for this process looks like.

I've searched youtube to see if I could find any videos that talk about backups that involve bitlocker with Macrium for a relevent example but came up empty.

Here are the settings I chose when making my backup media on the 2nd (non-bitlocker) machine:

View attachment 96689


As for exporting the key, I was able to save the text file and the PDF to the USB key with no issues so I had already figured out what you mentioned. For now I have a copy of the file on my cell phone so I have a recovery method that is not on the local machine. However if you've written something that does obfuscation then I wouldn't mind taking a look at it and maybe incorporating it into my workflow so thanks for the offer.

So the only thing I haven't figured out is how to export the key as a bkf per the Macrium kb article.
Since the save to USB doesn't work in a brand new vm I'm guessing that's either something that is deprecated but not updated in the kb article or there is something else you have to do in windows to enable that feature???


Also did you have any advice on trying to mount/read Individual files from the second machine on the Bitlocker Volume? Is that even possible when dealing with bitlocker or do you have to restore the whole drive just to get at a couple of files?



Thanks

Click to expand...

Let me try my best to answer your questions. If I have misunderstood anything, please do let me know.

Note that when you use any files on a BitLocker encrypted volume it is automatically decrypted for you on the fly once you have unlocked the volume. It is all transparent to you. The exact same thing happens when you perform a backup using a program like Reflect. Windows decrypts the files or data blocks and then hands the unencrypted data to Reflect which then backs that data up. Because of this, when you restore a drive, it will initially be unencrypted after the restore and you would simply re-encrypt the volume after restoring it. This changes if you save the BitLocker key with Reflect. I don't know all the details regarding this - it would probably be helpful for me to review the Reflect documentation on this topic. I don't know all the details because I never save my BitLocker key to my Reflect media.

Whether your backed up drive used BitLocker or not, you can still always mount your Reflect backup and access individual files or the entire backup.

As far as saving the BitLocker key to your recovery disk when creating the recovery media, I would have to better educate myself on this by reading the related part of the Reflect documentation. I'm not sure how to add the keys for multiple systems to the same Recovery media. If I recall, I think that it simply saves the key as plain text in a file, which is why you need to protect that recovery media. As I noted, I never bother saving my key(s) to my Reflect media.

Let me know if there was anything I didn't address. I may need to do a little research, but I will happily do so when back in front of my primary desktop.

As far as the BKF file goes, I thought that a .BKF was the extension for a Windows backup file so I'm not sure how that relates to this discussion. Could you possibly point me to the Macrium Reflect article that references this?

TraderGary said:

Is this a company owned computer? If so this explains a lot.

Click to expand...

Yea, its locked down a lot so I am limited on what i can do with it unless I can get them to make an exception for me.

hsehestedt said:

Let me try my best to answer your questions. If I have misunderstood anything, please do let me know.

Note that when you use any files on a BitLocker encrypted volume it is automatically decrypted for you on the fly once you have unlocked the volume. It is all transparent to you. The exact same thing happens when you perform a backup using a program like Reflect. Windows decrypts the files or data blocks and then hands the unencrypted data to Reflect which then backs that data up. Because of this, when you restore a drive, it will initially be unencrypted after the restore and you would simply re-encrypt the volume after restoring it. This changes if you save the BitLocker key with Reflect. I don't know all the details regarding this - it would probably be helpful for me to review the Reflect documentation on this topic. I don't know all the details because I never save my BitLocker key to my Reflect media.

Whether your backed up drive used BitLocker or not, you can still always mount your Reflect backup and access individual files or the entire backup.

As far as saving the BitLocker key to your recovery disk when creating the recovery media, I would have to better educate myself on this by reading the related part of the Reflect documentation. I'm not sure how to add the keys for multiple systems to the same Recovery media. If I recall, I think that it simply saves the key as plain text in a file, which is why you need to protect that recovery media. As I noted, I never bother saving my key(s) to my Reflect media.

Let me know if there was anything I didn't address. I may need to do a little research, but I will happily do so when back in front of my primary desktop.

As far as the BKF file goes, I thought that a .BKF was the extension for a Windows backup file so I'm not sure how that relates to this discussion. Could you possibly point me to the Macrium Reflect article that references this?

Click to expand...

So the link I was referring to is in my original post, it contains the screen shot of the missing option as well:



I get what you are saying as far as when a "normal" reflect user does a "HOT/Live" backup inside the OS, but in this case I am doing a COLD/Offline backup by booting to the recovery media then backing up over my network. Since this is a corporate/work machine, I am unable to install reflect so the rescue media is the only method i have open to me at the moment.

So what this means is that I am backing up an encrypted blob of data and not the unencrypted files/partitions. Because of that, any downstream processing that I do later with the backup file means that reflect needs to be able to decrypt the data whenever you want to recover just a few files as opposed to restoring the entire drive also having not done it yet I have to wonder how a brand new restored onto bare metal works when you restore an encrypted blob. Is windows smart enough to tell me that this is an encrypted drive that must have the recovery key entered? This is merely my ignorance with Bitlocker so until I try that step I won't know the answer.


Having never tried any of this and just going off of what I read in the KB article, it's my assumption that if you have the BKF file that Reflect will know how to decrypt the drive image either by doing a full restore or as I was trying to do by mounting the image as a temporary drive letter to retrieve a couple of files. This is all just an assumption on my part because I couldn't get that far and I have yet to learn how the process actually works.

Thanks

Sounds like you are trying to do things a thief that steals your computer might try to do. Your IT department has apparently done its job.