1

I'm trying to encrypt an external drive via powershell with bitlocker.

The script i'm posting here will be part of a bigger setup where all attached disks to a pc will be automaticly formatted and then have bitlocker enabled on them. I'm trying to set a password for unlocking the volume and export a recovery key incase worst case scenario passes...

the code:

$Pass = 'xxxxx.' | ConvertTo-SecureString -AsPlainText -Force
Enable-BitLocker -MountPoint "E:" -EncryptionMethod Aes256  -UsedSpaceOnly -PasswordProtector -Password $Pass 
Add-BitLockerKeyProtector -MountPoint "E:" -RecoveryKeyPath "D:\keys\" -RecoveryKeyProtector

do 
{
$Volume = Get-BitLockerVolume -MountPoint E:
Write-Progress -Activity "Encrypting volume $($Volume.MountPoint)" -Status "Encryption Progress:" -PercentComplete $Volume.EncryptionPercentage
Start-Sleep -Seconds 1
}
until ($Volume.VolumeStatus -eq 'FullyEncrypted')

Write-Progress -Activity "Encrypting volume $($Volume.MountPoint)" -Status "Encryption Progress:" -Completed

I'm getting an error : parameter set cannot be resolved using the specified named parameters.

Isn't it possible to both use the password and recoverykey action when bitlocking?

Thanks in advance

Michael
  • 57
  • 1
  • 11
  • You can only add one protector per call. If you want two protectors, then you should use `Add-BitLockerKeyProtector` before of after `Enable-BitLocker`. Also, you do not need to wait for `FullyEncrypted` state before calling `Enable-BitLockerAutoUnlock`. – user4003407 Feb 12 '18 at 11:36
  • as you can see (even before my edit) i allready wait for fully encrypted state – Michael Feb 12 '18 at 12:10
  • And I say you do **not** need that wait. You can call `Add-BitLockerKeyProtector` even before you enable BitLocker on volume. – user4003407 Feb 12 '18 at 12:13

1 Answers1

1

You cannot use both a password and recovery key when calling Enable-BitLocker.

From TechNet: "You can specify only one of these methods or combinations when you enable encryption, but you can use the Add-BitLockerKeyProtector cmdlet to add other protectors."

So use Add-BitLockerKeyProtector after enabling.

Jelphy
  • 961
  • 2
  • 11
  • 28
  • updated the first post with an updated script, don't get an export from a key though – Michael Feb 12 '18 at 12:05
  • @Michael Just add password protection with `Enable-BitLocker`. Then add recovery key afterwards, using `Add-BitLockerKeyProtector`. You don't need the second call to `Enable-BitLocker`. – Jelphy Feb 12 '18 at 12:12
  • i'm sorry, i don't understand what you mean. I've removed the 2Nd enable-bitlocker, but how do i specify the recovery key path then? If i just put them one line after the other it doesn't work – Michael Feb 12 '18 at 12:24
  • ok figured it out, but still don't get any visible output in the D:\keys folder – Michael Feb 12 '18 at 12:40
  • *don't get any visible output in the D:\keys folder* @Michael Did you enable showing hidden and system files? – user4003407 Feb 12 '18 at 16:44
  • @PetSerAl I did, the keys are exported in .deb files. Which remain invisible even with hidden files set to visible. I changed the setup from keys to password, a 48 digit recovery password should be safe enough for my purposes. – Michael Feb 14 '18 at 07:22