0

In my computer I have a SSD with an OS installed, and a HDD with two partitions, one of them I use to store my user profiles and other potentially sensitive data.

I would like to encrypt one of the data partitions, if possible without encrypting the OS disk, and I would like to have my key on a USB drive. When trying to use Bit-locker, I am offered to use the USB key only for my system drive, only password option is offered for the data drive. I assume if I encrypt the OS drive, I will be able to use the same key for the data drive (automatic unlock), however I would prefer not encrypting my OS drive, because I see no reason to lower its performance, as the OS drive does not contain any data I consider sensitive.

Is this possible somehow?

Improve this question

1 Answer 1

Reset to default
2

You cannot achieve this without command prompt or powershell.

Open a cmd window with admin rights (winkey + x)

For a new drive:

manage-bde -on D: -RecoveryKey F: -RecoveryPassword -UsedSpaceOnly

A RecoveryPassword (-rp) consisting of a long numerical code is displayed for you to copy to a safe place and to be used if you loose your USB key. The RecoveryKey (-rk) or StartupKey (-sk) puts an external key file on the USB drive F:. Add -UsedSpaceOnly to speed up encryption.

For an already encrypted drive:

Manage-bde D: -protectors -add -RecoveryKey F:
Manage-bde D: -protectors -add /?

The /? will result in a help overview.

After you have successfully added an external keyfile protector to the Data drive, Windows will not automatically unlock the Data drive when the USB key is detected. Bitlockers own autounlock-mechanism will add an external key file into the registry of Windows if you enable it, but this is only available if the system drive is encrypted. You cannot 'teach' windows to use the keyfile to autounlock the Data drive. You can add, however, a task in task scheduler, resulting in this behaviour. 

manage-bde -unlock D: -RecoveryKey "F:\00000-...-.bek"

This time you do need to be specific in pointing to the file on the USB key (whereas saving the key to the USB-drive does not require you to be specific folder/filename).

As stated in the comments below, you can also unlock the drive with the mouse using the blue links in the bitlocker-corner-popup.

Improve this answer
8
  • \ needs to be escaped as \\ - I cannot edit myselft as this is not 6 characters. :(
    – Suma
    Commented May 30, 2016 at 11:14
  • I have tried this and I am afraid it is not complete. The disk is not unlocked when I start the computer, I need to enter a long numeric password. When I check Manage-bde X: -protectors -get, the external key is listed as a file name only, with no path to the flash disk. I will try changing that with -protectors add.
    – Suma
    Commented May 30, 2016 at 13:36
  • I was not successful so far. Each attempt to use Manage-bde D: -protectors -add -StartupKey "F:\\" or Manage-bde D: -protectors -add -RecoveryKey "F:\\"creates a new key or recovery key on my USB stick, but the key is not used, the OS asks me for a password on first access.
    – Suma
    Commented May 30, 2016 at 13:54
  • Password will always take priority when it exists. If you use the GUI, click the blue sentence below the password box and then click the line "Load key from USB drive" ) it then will check for *.bek files in the root location of other (USB) drives. If you do not want the GUI to ask you for a password you will have to remove the password protector. The a clickable blue link will appear when you unlock the drive without a password box.
    – A71
    Commented May 30, 2016 at 14:23
  • Still no luck. When I removed the password, the drive is still not unlocked on startup. When I click on the drive to open it, a window appears with an option "Load key from USB drive", but when I click it, an error shows: "A valid USB key wasn't detected". The BEK file is present on the USB, but somehow it is now found. As I have removed the recovery password protector before (it was the only password protector I had), I guess I have lost the drive. (This does not matter - it was just a testing drive, I expected something may go wrong).
    – Suma
    Commented May 31, 2016 at 7:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .