BitLocker Security concerns

win10freak · 02 Aug 2018

I just stumbled into an issue and would like to ask if this is normal or not.
My UEFI boot order is the Windows Boot Manager and then the Internal HDD, nothing else. Except when I insert the USB flash drive, that shows up in the Boot Sequence menu options among the last boot order, but apart from that, no other boot devices.

BitLocker is set to a TPM and PIN protector.

However, and this part is very strange, that when inserting my Windows 10 USB bootable flash drive and then rebooted my laptop, it did not even prompt me to enter the BitLocker PIN.

Without the USB stick, it does.

The USB stick is only a Windows 10 bootable media created with the Media Creation Tool, that's all, along with some few folders which contains some personal documents.

I was not going to install Windows, but I had a few personal files to edit, but when the laptop rebooted, I noticed that the USB flash drive was still in the laptop and did not ask for the BitLocker PIN.

I just did a test again by inserting my Windows 10 USB bootable flash drive, rebooting the laptop and went right through the Windows Logon screen WITHOUT the BitLocker PIN prompt.

Now, I would like to ask, is why?

Thanks

das10 · 03 Aug 2018

That seems strange. Can you confirm that the USB stick does not contain your Bitlocker key by any chance, and also when you run this command in Windows, does it say "TPM and PIN" in the "key protectors" section? ( see this article for additional info: How to enable BitLocker to prompt for PIN during startup | Passion IT ).

Command Prompt (admin):

manage-bde -status

If the USB stick does not contain any Bitlocker key, I too find it very strange that just inserting that USB allows you to go straight into Windows, unless for some reason Bitlocker has been Suspended in which case it would not ask for the PIN.

Hope you get to the bottom of this .

win10freak · 03 Aug 2018

WOW, BINGO!!!!!

I did not know that there is also a second Recovery Key file ending with BEK along with the BitLocker key ending with TXT file as well.

I had to Unhide all the protected hidden files from my USB directory.

And yes, manage-bde -status does show TPM and PIN

In order to test this without these files, can I remove both the BEK and the TXT keys from my USB stick and in the meantime, I can take a photo from my mobile phone of the Bitlocker Recovery Key.TXT just in case it will ask for it during my testing.

I need to test this to see if this was the root cause.

das10 · 03 Aug 2018

You could always copy them to a spare USB flash drive and test your main USB without those files. Make sure you have written backups of the keys just in case!

win10freak · 03 Aug 2018

Do I need to have the BEK file on my USB flash drive along with the Recovery Key.TXT file?
Can I delete the BEK file?

das10 · 03 Aug 2018

As far as I understand the process, a .bek file will autoload the key and start the PC straight away, but with a .txt file it will wait and ask you to select and load that .txt file. I would keep both, as they only use a few bytes of storage.

win10freak · 04 Aug 2018

I removed the BEK file leaving the TXT Recovery Key file only on my USB.
Inserted it into my laptop, rebooted it, and this time the PIN prompt came up.

However, this time I did a test to see if TXT Recovery Key works or not by trying to load the system into Safe Mode.

Went into the Recovery options in Windows 10, and selected Boot into Recovery/Safe Mode and then rebooted my machine again. Upon boot, it asks me for the BitLocker PIN, then for the Recovery Key. I then inserted the USB flash drive and did another reboot. It again came up with the PIN entry, and then it proceeded to the Windows Logon, but this time, without being in Safe Mode.

Tested this again, but this time manually entering my Recovery Key and after reboot, it did boot into Safe Mode options.

I removed the BEK file leaving the TXT Recovery Key file only on my USB.
Inserted it into my laptop, rebooted it, and this time the PIN prompt came up.

However, this time I did a test to see if TXT Recovery Key works or not by trying to load the system into Safe Mode.

Went into the Recovery options in Windows 10, and selected Boot into Recovery/Safe Mode and then rebooted my machine again. Upon boot, it asks me for the BitLocker PIN, then for the Recovery Key. I then inserted the USB flash drive and did another reboot. It again came up with the PIN entry, and then it proceeded to the Windows Logon, but this time, without being in Safe Mode.

Tested this again, but this time manually entering my Recovery Key and after reboot, it did boot into Safe Mode options.

Is there any way to re-generate the BEK file?

das10 · 04 Aug 2018

Try:
How to Copy Startup Key of OS Drive Encrypted by BitLocker in Windows

Copy Startup Key of OS Drive Encrypted by BitLocker in Windows | Windows 10 Tutorials

win10freak · 04 Aug 2018

That’s the issue, I removed the BEK file that was saved as a backup from my PC as well.

Is there a way to create a new BEK file?

If not, I have two options below:

From a security standpoint, I like having the Bitlocker PIN prompt.

Also, as long as the Bitlocker Recovery allows me to unlock the drive and takes me to Windows login screen I’m ok with that.

So if something goes wrong with my machine, of course, I am unable to gain access to the troubleshooting GUI such as Safe Mode.

Will just have to reinstall the OS again.

das10 · 04 Aug 2018

Did you try Option 2 as shown in the tutorial (It says Copy BitLocker Startup Key of OS Drive to USB Flash Drive in Control Panel- you just have to insert a USB stick for it to make a new .bek file on it)

Copy Startup Key of OS Drive Encrypted by BitLocker in Windows | Windows 10 Tutorials