13

Does anyone know of any trick - registry change, group policy etc. which will allow a Bitlocker volume to be auto-unlocked without having a bitlocker encrypted system drive?

My system drive is a Samsung 850 Pro SSD, so it obviously has built-in encryption, which I enable by using a bios drive password.

I'm not using Bitlocker on the system drive, because with my bios I can't configure it to use the native hardware encryption, so it'd be wasting resources encrypting with the CPU.

I have a second mechanical hard drive, which I've encrypted with Bitlocker and I'd like to be able to auto-unlock it.

At the moment I've figured out a hack to do it, by running a task at system boot, that uses the bitlocker command line utility to manually unlock the drive. However this seems a very clunky way to do it.

I understand the reasoning behind this restriction, because they don't want to store decryption keys on an unencrypted drive, however in my case it doesn't really apply, as the system drive is fully encrypted, just not with Bitlocker.

I'm just wondering if there is some way to override this check, and force it to allow auto-unlock?

Improve this question
4
  • When you first mount the volume there should be a checkmark that indicates it automatically mount the volume by remembering the passphrase.
    – Ramhound
    Commented Oct 26, 2015 at 14:20
  • 1
    @Ramhound. This only appears if the system drive is encrypted. I see the password input with no checkbox.
    – user1751825
    Commented Oct 27, 2015 at 14:27
  • Both of machines (Windows 7 Enterprise and Windows 10 Professional) give me that prompt and neither have their system drive encrypted when I connect my encrypted USB external HDD.
    – Ramhound
    Commented Oct 27, 2015 at 14:44
  • Sorry I should have been more clear. This is a fixed dive, not removable.
    – user1751825
    Commented Oct 28, 2015 at 17:37

3 Answers 3

Reset to default
0
  1. turn off bitlocker on the drive you want to auto-unlock
  2. mount this drive as a removable drive i.e plug it into a usb attached drive unit such as StarTech or many others
  3. boot the system and bitlock the drive and turn on auto-unlock
  4. shutdown the system
  5. mount the drive as a permanent drive
  6. reboot the system and the drive will auto-unlock because windows now thinks that it is a removable drive

Works For Me with no problems

Improve this answer
1
  • Is there a way for this to work with disk partitions? For example, one disk with the System Disk not encrypted, and another partition encrypted?
    – elika kohen
    Commented Dec 15, 2022 at 0:19
4

Assumptions:

  • Your task enters the password, so it is saved in the Windows Task scheduler.
  • You do not like entering the Data drive password after very boot.

This workaround might not be less clunky, but maybe a bit less insecure.

Indeed, Windows will not allow you to enable auto-unlock on a fixed drive when the system partition is not encrypted (with bitlocker).

However, I used a workaround. I saved a recoverykey (a external key file) with the manage-bde command to a USB flash drive. Now whenever I want to unlock the drive, instead of typing in the password, I click on the text-button below it and it automatically checks existing USB devices and unlocks. So clicking instead of typing.

In your situation, because C is encrypted in another way while my C was not, I would temporary create the key on a (bitlocker encrypted) USB flash drive. This file is *.bek is a system hidden file type dir /A:S to see; copy this to a dir C:\User\{Accountname}\AutoUnlockKeys\{keyfileid}.bek. I would deny rights to this folder as much as possible.

Then update your task to

manage-bde -unlock D: -RecoveryKey "C:\pathtofile\key.bek"

Where C: is an encrypted system drive using something else than Bitlocker.

Normally the auto-unlock key is saved in the registry. The benefit of -RecoveryKey task in comparison to the -Password unlock task is that your weakest link is not the password mentioned in clear text in the Windows Task manager, but, the weakest link is the Windows' access rights applied to the folder/*.bek key file.

Improve this answer
2
  • That's a very interesting approach. I'll try it out. I'm not all that concerned with current setup, because the drive is hardware encrypted. However your solution does sound less hacky.
    – user1751825
    Commented May 5, 2016 at 22:56
  • Just one other thing I thought I'd add. In my current setup, the command to unlock the drive is actually in a .cmd file, which is then referenced by task manager, so it's not technically storing the unlock key directly in the task scheduler.
    – user1751825
    Commented Oct 7, 2016 at 3:22
2

My solution is described here

To setup automatic BitLocker drive unlock, during log on:

  1. Create file UnlockDrives.ps1
try {
  $Volume = "E:"
  $Password = "BITLOCKPASSWORD"
  Unlock-BitLocker -MountPoint $Volume -ErrorAction Stop -Password (ConvertTo-SecureString $Password -AsPlainText -Force)
  Write-Host "Drive $Volume unlocked"
}
catch {
   throw "Failed to unlock $Volume $_"
}
  1. Save UnlockDrives.ps1 and RunHiddenConsole.exe in C:\Users\YOURUSER\AppData\Local\UnlockDrives folder
  2. FOR SECURITY ONLY: Enable folder encryption and edit its permissions, so only your user will have access to this folder
  3. Open Task Scheduler
  4. Create new task under Microsoft\Windows\Powershell\ScheduledJobs
  5. Enter name: "UnlockDrives"
  6. Select General -> "Run only when user is logged on", for your user only
  7. Select General -> "Run with highest privileges"
  8. Add Triggers -> "At log on", for your user only
  9. Add Action -> "Start a program"
  10. Set Program to: RunHiddenConsole.exe
  11. Set Arguments to: powershell.exe -ExecutionPolicy Unrestricted -Command "./UnlockDrives.ps1"
  12. Set "Start in" to: C:\Users\YOURUSER\AppData\Local\UnlockDrives

RunHiddenConsole.exe can be downloaded from the link above, or compiled from sources, although it is not a must, but it solves annoying window flashing problem during login.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .