Edit

Share via

ProtectKeyWithExternalKey method of the Win32_EncryptableVolume class

  • Article

The ProtectKeyWithExternalKey method of the Win32_EncryptableVolume class secures the volume's encryption key with a 256-bit external key. This external key can be used to recover from the authentication failures of other key protectors (for example, TPM).

Use the SaveExternalKeyToFile method to save this external key to a file. USB memory devices that contain this external key can be used as a startup key or a recovery key when the computer starts.

A key protector of type "External Key" is created for the volume.

Syntax

uint32 ProtectKeyWithExternalKey(
  [in, optional] string FriendlyName,
  [in, optional] uint8  ExternalKey[],
  [out]          string VolumeKeyProtectorID
);

Parameters

FriendlyName [in, optional]

Type: string

A string that specifies a user-assigned identifier for this key protector. If this parameter is not specified, a blank value is used.

ExternalKey [in, optional]

Type: uint8[]

An array of bytes that specifies the 256-bit external key used to unlock the volume.

If no external key is specified, one is randomly generated. Use the GetKeyProtectorExternalKey method to obtain the randomly generated key.

VolumeKeyProtectorID [out]

Type: string

A unique string identifier used to manage an encrypted volume key protector.

If the drive supports hardware encryption and BitLocker has not taken band ownership, the ID string is set to "BitLocker" and the key protector is written to per band metadata.

Return value

Type: uint32

This method returns one of the following codes or another error code if it fails.

Return code/value Description
S_OK
0 (0x0)
 The method was successful.
E_INVALIDARG
2147942487 (0x80070057)
 The ExternalKey parameter is provided but is not an array of size 4.
FVE_E_LOCKED_VOLUME
2150694912 (0x80310000)
 The volume is locked.
FVE_E_NOT_ACTIVATED
2150694920 (0x80310008)
 BitLocker is not enabled on the volume. Add a key protector to enable BitLocker.

 

Remarks

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

Requirement Value
Minimum supported client
 Windows Vista Enterprise, Windows Vista Ultimate [desktop apps only]
Minimum supported server
 Windows Server 2008 [desktop apps only]
Namespace
 Root\CIMV2\Security\MicrosoftVolumeEncryption
MOF
Win32_encryptablevolume.mof

See also

Win32_EncryptableVolume