Secure Boot and Bitlocker

If I have BitLocker enabled on my system, do I have to enable Secure Boot as well?

If BitLocker is enabled, does that mean I must enable Secure Boot?

Or, can I just leave Secure Boot disabled?

You don't need secure boot. You can have it on or off as you wish.

If you change the secure boot setting (on to off or vv) though by fiddling with the BIOS settings it will trigger a change that requires your whole 48 digit bitlocker key to be entered so if you want to change it suspend bitlocker and then restart (so you can make your BIOS change).

You need to do the same "suspend bitlocker/reboot" cycle for any other BIOS change that impacts on boot.

So it's always best to enable Secure Boot BEFORE turning ON BitLocker?

Thanks for the quick response.

Doesn't matter either way.

I leave it off as I like to boot from USB sometimes so I don't like secure boot.

The only thing to consider is if you want to change it (either from "on to off" or "off to on") then you'll need to suspend bitlocker before you do or bitlocker will prompt you for a recovery key as it saw a change in boot setup.

Once bitlocker is running it will be OK until you change something (change a BIOS setting, try to boot from a different disk etc).

One more final question which may be a bit off topic.

Since my system is fully encrypted with BitLocker, would it be fine to leave the UEFI firmware password as not set or disabled? Do I really need to set a UEFI password even if my system is fully encrypted?

Just a note that for devices which are using Device Encryption (which isn't the same as Bitlocker but uses the same underlying technology), I believe you do need to have Secure Boot enabled.
Device Encryption is available on all versions of Windows 10, even W10 Home (which doesn't support Bitlocker), as long as the hardware supports certain requirements - for instance I believe the system drive must be on a 'non-rotational disk' (eg. an SSD).

So your saying I need to have Secure Boot enabled with BitLocker as well?

By the way, I would like to just have BitLocker ask for the recovery key instead of the Suspend option.

What about UEFI password?

win10freak said:

So your saying I need to have Secure Boot enabled with BitLocker as well?

Not if you have Windows 10 Pro or one of the other versions where Bitlocker is a feature. Bitlocker itself works fine without Secure Boot. It's only the Device Encryption which seems to need Secure Boot.

win10freak said:

If so, then will I need to Suspend BitLocker?

If you were going to change anything significant such as Secure Boot status, then yes I would suspend it. It's safer to suspend it than find it asking for a recovery key because you didn't. I would make sure you know that recovery key in any case though.

win10freak said:

What about UEFI password?

I don't think it's required. Personally I wouldn't set it but that's just me.

By the way, I would like to just have BitLocker ask for the recovery key instead of the Suspend option.

I have the recovery key on a USB stick so that way I can just insert it and BitLocker will automatically unlock the drive.

Here is the reason why....
BitLocker Frequently Asked Questions (FAQ)

Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted , the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.

You don't have to suspend bitlocker protection if you are planning a change to your BIOS - certainly you can enter the recovery key. Indeed if you don't suspend it you will be asked for the key and I know for sure that it works as sometimes I forget to suspend it.

The thing is that if you change a setting in your BIOS then your TPM (or USB) will not auto-unlock it so you will be forced to manually type in the full recovery key. This is the really long one you see in red here from the file you get when you save it:

Code:

BitLocker Drive Encryption recovery key 

To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.

Identifier:

	7F907225-EA35-48A1-AC2E-BCC2C8B54524

If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.

Recovery Key:

	534787-075230-603179-334334-685311-285032-169356-608751

If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
Try another recovery key, or refer to https://go.microsoft.com/fwlink/?LinkID=260589 for additional assistance.

If you are planning to reboot to change some BIOS option it just makes life easier to suspend bitlocker as you don't have to type in this long number - after reboot the key is again protected.

If you suspend bitlocker through the GUI (like in option 1 in the link below) it will be enabled after the next reboot so you can suspend it, make your change and it is automatically enabled (and the key no longer stored in clear).

Incidentally, you can also use powershell as described in option 4 of the link below to ask the system to not re-enable protection for an arbitrary number of reboots.

For example Suspend-BitLocker -MountPoint "C:" -RebootCount 5 will not resume protection for 5 reboots. I honestly can't imagine a situation you would want to do that but you could do it I guess.

Suspend or Resume BitLocker Protection for Drive in Windows 10 Windows 10 Security System Tutorials