Enable Bitlocker auto-unlock without system drive encryption

windows-10 encryption bitlocker

Does anyone know of any trick - registry change, group policy etc. which will allow a Bitlocker volume to be auto-unlocked without having a bitlocker encrypted system drive?

My system drive is a Samsung 850 Pro SSD, so it obviously has built-in encryption, which I enable by using a bios drive password.

I'm not using Bitlocker on the system drive, because with my bios I can't configure it to use the native hardware encryption, so it'd be wasting resources encrypting with the CPU.

I have a second mechanical hard drive, which I've encrypted with Bitlocker and I'd like to be able to auto-unlock it.

At the moment I've figured out a hack to do it, by running a task at system boot, that uses the bitlocker command line utility to manually unlock the drive. However this seems a very clunky way to do it.

I understand the reasoning behind this restriction, because they don't want to store decryption keys on an unencrypted drive, however in my case it doesn't really apply, as the system drive is fully encrypted, just not with Bitlocker.

I'm just wondering if there is some way to override this check, and force it to allow auto-unlock?


Solution 1:

Assumptions:

  • Your task enters the password, so it is saved in the Windows Task scheduler.
  • You do not like entering the Data drive password after very boot.

This workaround might not be less clunky, but maybe a bit less insecure.

Indeed, Windows will not allow you to enable auto-unlock on a fixed drive when the system partition is not encrypted (with bitlocker).

However, I used a workaround. I saved a recoverykey (a external key file) with the manage-bde command to a USB flash drive. Now whenever I want to unlock the drive, instead of typing in the password, I click on the text-button below it and it automatically checks existing USB devices and unlocks. So clicking instead of typing.

In your situation, because C is encrypted in another way while my C was not, I would temporary create the key on a (bitlocker encrypted) USB flash drive. This file is *.bek is a system hidden file type dir /A:S to see; copy this to a dir C:\User\{Accountname}\AutoUnlockKeys\{keyfileid}.bek. I would deny rights to this folder as much as possible.

Then update your task to

manage-bde -unlock D: -RecoveryKey "C:\pathtofile\key.bek"

Where C: is an encrypted system drive using something else than Bitlocker.

Normally the auto-unlock key is saved in the registry. The benefit of -RecoveryKey task in comparison to the -Password unlock task is that your weakest link is not the password mentioned in clear text in the Windows Task manager, but, the weakest link is the Windows' access rights applied to the folder/*.bek key file.

Related

If someone purchased a Seagate ST3000DM001 3TB hard drive and it failed sooner than expected, will Seagate replace the drive?
How to disable the "is not responding" message on Fedora
Windows 10 task manager is super slow
Java2D Performance Issues
How to scrape a website that requires login first with Python
TensorFlow: training on my own image
How do you determine spacing between cells in UICollectionView flowLayout
Reasons for rejecting iPhone application by Apple store [closed]
Run terminal command (python command) at start up [duplicate]
Ubuntu 12.04 APT Proxy?
Cron job every day at Specific Minute of Specific Hour
Installing Ubuntu on Acer Chromebook 13? [duplicate]