Is it possible to re-lock a bitlocker drive?

I'm running a partition with bitlocker on a Windows 7 Ultimate machine, which contains secure data that I have to recover infrequently. Unlocking it to access the data is obviously no problem, but is there a way to re-lock the partition when I'm done? The best I've found so far is this: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/41607938-7452-440d-8253-67fe8657bc0f

Currently I have a .bat script on that drive that I can run as administrator, and that re-locks the drive, but it feels like kind of a hackish solution. Does anyone have anything better? Any idea when Microsoft might release a fix for this?


Solution 1:

How I solved it:

  1. Click on the Start orb
  2. Enter "cmd" in the search field
  3. Right-click on "cmd" and "Send to" -> "Desktop"
  4. Right-click on "cmd" and then click on "Properties"
  5. In the tab "Shortcut" click on "Advanced / Enhanced"
  6. Check "Run as Admin"
  7. Click "OK" - "Apply" - and "OK"

Optional steps:

  1. Give the short-cut the name "BitLocker"
  2. Right-click on "Properties" and again under "short-cuts" click on "Change Symbol..."
  3. Click on "Search" and at the pull-down "Symboldata" choose "All Data"
  4. Choose a random file, that definitely has no icon (e.g. a picture) and click "Open"
  5. Confirm the error message by clicking "OK" and choose a nice icon
  6. Drag the icon oto the task bar

After that just enter:

manage-bde -lock E:

(E: just stands for a random HDD, choose the right one)

Solution 2:

There is no way to lock a drive using BitLocker GUI tools. The only two supported methods are using manage-bde -lock X: as has been mentioned or using the Win32_EncryptableVolume::Lock method of the BitLocker WMI interface.

What is the threat you're trying to mitigate by re-locking the drive? The drive will lock automatically when the system shuts down, so it's not as though your data is vulnerable forever until you manually re-lock the volume. An attacker would have to somehow grab the decryption key out of memory from the running system to be able to access the data on your encrypted volume.

The moderator of the forum you linked to is incorrect. This is not a "security bug." It is simply a UX decision to only expose an advanced option through command line and WMI interfaces rather than GUI interfaces.

Solution 3:

1) Create a lock.cmd file somewhere and type inside of it:

manage-bde -lock -ForceDismount f:

where f is the drive you want to re-lock.

2) Create a shortcut to lock.cmd, for example on the desktop.

3) Right click on the shortcut > Properties > Advanced > Check Run as administrator.

4) Double click on the shortcut to re-lock your drive.