I've got a feeling the answer to this is there is no way, but I'll give it a try anyway.
I have a SSD from a company laptop where the SATA controller failed. The SSD is encrypted using bitlocker and, naturally, there is some critical data on the drive and no backup. The recovery key is also missing. The drive is normally opened with a PIN and the TPM in the laptop.
Is there any way to use the TPM from the laptop with the failed controller to open the drive?
I think that without the recovery key, we're out of luck, but if anyone knows a way around this, I'd appreciate the help.
Are you able to get a copy off the encrypted data of the SSD, e.g. an image?
You could try booting the laptop with Windows, and see if the system picks up when mounting the image.
As far as I know, how BDE interacts with the TPM is not publicly known.
But if you could find out, libbde (http//
If it is just the SATA controller that is dead, can you remove the drive from the laptop, place it into an external USB enclosure and boot from USB (on the same machine with the same TPM)?
Needless to say, I have never tried this & have no real idea if it would work.
Is this standalone implementation of BitLocker, or enterprise version?
If enterprise and it was set up correctly, the key is in the AD, and you can even make a VHD, and boot it with the key, TPM or not.
It is enterprise, but since we can't find the recovery key in the AD, I assume it's not set up correctly.
For the method you describe, what "key" do we need? Can you provide a link to instructions on how to use this method?
Having no recovery protectors (key or numeric password), there is no cheaper way than to replace the SATA controller.
Having no recovery protectors (key or numeric password), there is no cheaper way than to replace the SATA controller.
This is a laptop, so that would have to be a PCMCIA SATA card. I'm not sure if the BIOS could handle booting off that, but it is worth a try. Now, we just have to get the original laptop back from the hardware depot… roll
It is enterprise, but since we can't find the recovery key in the AD, I assume it's not set up correctly.
For the method you describe, what "key" do we need? Can you provide a link to instructions on how to use this method?
The information is in ms-FVE-RecoveryInformation under the machine object. If you have the machine name you can find this object. The RecoveryPassword contains the string that when a drive or VHD is slaved, is asked for.
This is a laptop, so that would have to be a PCMCIA SATA card. I'm not sure if the BIOS could handle booting off that, but it is worth a try.
That probably won't work. I meant on-board replacement and a prayer to pass the trusted-boot integrity check afterwards.
You could try JTAG or worst case chip off reading…