Bitlocker problem

tohowalk · 01 Nov 2015

I have started experimenting with Bitlocker on my Win 10 Pro system. For testing purposes, I created a small partition on my C drive with its own drive letter, put some garbage data in it, and successfully encrypted it. The problem comes when I try to unlock the drive after a restart. I would prefer to unlock by using a USB drive so that I don't have to enter a long password manually. I have set all the permissions with gpedit.msc (I do not have a TPM), and I save my key to the USB drive when I encrypt the drive. Unfortunately, when I direct bitlocker to go to the USB drive when unlocking, I get an error message that says: "A valid USB key wasn't detected", so the only way to unlock is with the password. The USB drive contains 3 files: System Volume Information, a long named .bek file, and a Bitlocker recovery key .txt file.

I am not attempting to encrypt my C drive yet, just testing encryption of data drives. FWIW, my system is able to boot from a USB drive. Can anyone tell me how I can unlock a data drive using just the info on the USB drive?

Tia

Tohowalk

lx07 · 01 Nov 2015

tohowalk said:

Unfortunately, when I direct bitlocker to go to the USB drive when unlocking, I get an error message that says: "A valid USB key wasn't detected", so the only way to unlock is with the password.

How did you direct bitlocker to use the USB? Doesn't USB unlocking only apply to system (OS) drive? I made a setup like yours (but using a vhdx) and only see these options - nothing for USB - only Password, smart card (I don't have one) and auto unlock.

And I don't see anything in gpedit.msc - am I missing something?

I have the same 3 files saved to USB but no way to use them here it seems. As far as I can understand the USB is only used for the operating system drive (and only if you have configured Require additional authentication at startup under Operating System Drives in gpedit.msc

TairikuOkami · 01 Nov 2015

Bitlocker is hard to get along with sometimes, consider using something else, like VeraCrypt.

tohowalk · 01 Nov 2015

Halasz - you are correct that the selection for unlocking with a USB drive is under "os drive", and presumably wouldn't apply to a data drive - my bad. However, when I encrypt my data drive, it asks where I want to back up the key to, and I choose USB drive. When I try to unlock my drive I get the password screen with a link on the bottom to choose another method (not exact wording here). If I click that, it offers me the option of reading the key from a USB drive. I click on that, and that's when I get the error message stated above. This leads me to believe that I should be able to do this - unlock with a key on a USB drive, I just can't figure out how. Extensive web searching has not helped - about all I find pertains to the C drive at bootup, but I have found a few things that, again, lead me to believe it can be done. There are some parameters in the command panel version of bitlocker that I should play with as well, but doing anything from the command line intimidates me - looks to easy to screw things up.

Tohowalk

lx07 · 01 Nov 2015

Gotcha. You mean this:

I'm going to be really unhelpful and say that it works for me. I've tried saving to both FAT32 and NTFS USB and when I click on that Load key from USB drive either unlocks my encrypted drive immediately.

At least it means it can be done.

What I did differently is use a vhdx like this (in powershell)

Code:

New-Vhd -Dynamic d:\secrets.vhdx -SizeBytes 10GB
Mount-Vhd d:\secrets.vhdx
Get-Disk | `
Where partitionstyle -eq 'raw' | `
Initialize-Disk -PartitionStyle MBR -PassThru | `
New-Partition -AssignDriveLetter -UseMaximumSize | `
Format-Volume -FileSystem NTFS -NewFileSystemLabel "Secrets" -Confirm:$false

I can't easily make a real partition as it will break my OSX dual boot but you could try that and then encrypt it with bitlocker, save the key to USB and see if that works. Perhaps it is real partitions it doesn't like, or perhaps another setting.

The only setting I set in gpedit.msc was to tick the "Allow bitlocker without TPM" as I don't have one either.

EDIT: When I unlock I get this informational message Event 782, Bitlocker-API in Event Viewer > Applications and Services > Microsoft > Windows > Bitlocker-API > Management

Code:

The BitLocker protected volume F: was unlocked.
Protector GUID: {5660bd9c-5c4e-49f4-b525-d3e93d8b926e}
Identification GUID: {cc6c7512-f473-4ba5-964d-2ecbeeca8d93}

and on the usb I have this (hidden system) file which matches the GUID:
5660BD9C-5C4E-49F4-B525-D3E93D8B926E.BEK

Perhaps you can see something in Event viewer log?

tohowalk · 01 Nov 2015

Ok - now I'm really confused. In none of my attempts at this has the name of the .bek file matched the Protector Guid. I can encrypt fine, but only decrypt with the password. In looking at the event viewer, I see the key being created with a Protector Guid value that matches what's on my USB stick for the .bek file (event 775). One second later, I see another event 775 creating a different Protector Guid (same ID Guid). 21 seconds after that is an event 780 that says the Identification field was changed, but it lists the same ID Guid that it started with. It appears to me that it is creating a key and one second later creating another key. The first key gets saved to the USB stick, but the second key generation then changes the Protector Guid without recording it to the USB stick as a .bek file. What on earth?

Tohowalk

I have the encryption policy set to 256 bit instead of the default 128 bit in the policy editor if that makes a difference.

lx07 · 01 Nov 2015

These are my timings for Event viewer and file creation/modification in case it helps at all....

Code:

23:07:44 Event 796     BitLocker Drive Encryption is using software-based encryption to protect volume K:.

23:08:06 Event 775     A BitLocker key protector was created.
                       Protector GUID: {e62b10f7-be78-4d80-8126-72832a659709}
                       Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}

23:09:07 Event 775     A BitLocker key protector was created.
                       Protector GUID: {bb414250-8248-431c-90cf-af43b3bab2c9}
                       Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}

23:09:08 Event 775     A BitLocker key protector was created.
                       Protector GUID: {5d7db745-5bac-4994-868e-073536510e33}
                       Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}

23:09:13 File created  BB414250-8248-431C-90CF-AF43B3BAB2C9.BEK

23:09:14 File Modified BB414250-8248-431C-90CF-AF43B3BAB2C9.BEK

23:09:19 Event 780     The identification field was changed. 
                       Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}

23:09:19 Event 768     BitLocker encryption was started for volume K:.

23:12:55 Event 782     The BitLocker protected volume K: was unlocked.
                       Protector GUID: {bb414250-8248-431c-90cf-af43b3bab2c9}
                       Identification GUID: {1b295871-12d6-41c8-9baa-d74fc54109ee}

Tried with AES 256 and it still works, sorry.

tohowalk · 01 Nov 2015

Looks like mine except for the "file created/modified" message. I am stumped.

Many thanks for your help - I will keep trying to figure this out.

Tohowalk

lx07 · 01 Nov 2015

tohowalk said:

Looks like mine except for the "file created/modified" message.

The file created/modified wasn't in event viewer - it was the timestamps on the file on the USB. i.e there is another 775 before the file is written and the 780 is after.

I can't see from this what it is doing at all though (or why it works for me and not you) I'm afraid.

tohowalk · 01 Nov 2015

Just as another test, I tried it on my Wife's computer, and everything worked fine. That's frustrating! Hers is a win 10 Pro upgrade (no TPM), and mine is a Win 10 Pro clean install. At least I guess I know where the problem is now.

Tohowalk