Enable Bitlocker auto-unlock without system drive encryption
Does anyone know of any trick - registry change, group policy etc. which will allow a Bitlocker volume to be auto-unlocked without having a bitlocker encrypted system drive?
My system drive is a Samsung 850 Pro SSD, so it obviously has built-in encryption, which I enable by using a bios drive password.
I'm not using Bitlocker on the system drive, because with my bios I can't configure it to use the native hardware encryption, so it'd be wasting resources encrypting with the CPU.
I have a second mechanical hard drive, which I've encrypted with Bitlocker and I'd like to be able to auto-unlock it.
At the moment I've figured out a hack to do it, by running a task at system boot, that uses the bitlocker command line utility to manually unlock the drive. However this seems a very clunky way to do it.
I understand the reasoning behind this restriction, because they don't want to store decryption keys on an unencrypted drive, however in my case it doesn't really apply, as the system drive is fully encrypted, just not with Bitlocker.
I'm just wondering if there is some way to override this check, and force it to allow auto-unlock?
Solution 1:
Assumptions:
- Your task enters the password, so it is saved in the Windows Task scheduler.
- You do not like entering the Data drive password after very boot.
This workaround might not be less clunky, but maybe a bit less insecure.
Indeed, Windows will not allow you to enable auto-unlock on a fixed drive when the system partition is not encrypted (with bitlocker).
However, I used a workaround. I saved a recoverykey (a external key file) with the manage-bde command to a USB flash drive. Now whenever I want to unlock the drive, instead of typing in the password, I click on the text-button below it and it automatically checks existing USB devices and unlocks. So clicking instead of typing.
In your situation, because C is encrypted in another way while my C was not, I would temporary create the key on a (bitlocker encrypted) USB flash drive. This file is *.bek is a system hidden file type dir /A:S to see; copy this to a dir C:\User\{Accountname}\AutoUnlockKeys\{keyfileid}.bek. I would deny rights to this folder as much as possible.
Then update your task to
manage-bde -unlock D: -RecoveryKey "C:\pathtofile\key.bek"
Where C: is an encrypted system drive using something else than Bitlocker.
Normally the auto-unlock key is saved in the registry. The benefit of -RecoveryKey task in comparison to the -Password unlock task is that your weakest link is not the password mentioned in clear text in the Windows Task manager, but, the weakest link is the Windows' access rights applied to the folder/*.bek key file.