BitLocker, Microsoft’s disk encryption technology has been in the news lately, and while there is lots of controversy sloshing around in the internet, I take this opportunity to write down some instructions and clarify some possible misunderstandings of the technology. This should not replace the official BitLocker documentation, a good starting point as of now is here.
So let’s dig in, what is BitLocker, what can it do, what can’t it do, what are the dangers and pitfalls and what should you do RIGHT NOW if you’re responsible for your own computers or the computers of family and friends that may or may not have BitLocker on them.
BitLocker is a whole disk encryption system, it does not encrypt individual files but entire disk partitions. As Windows users, you may know these partitions as drives and they usually have a drive letter attached. Windows normally boots from the C: drive, so that’s what you probably have.
Why would you want to encrypt a disk? Essentially to better control access to the data on the drive when the data on the disk is not accessed, e.g., if the computer is switched off. That’s called “Data at rest” . So let’s say an attacker steals your computer, unplugs the hard drive from the computer and plugs it into their own computer. If the disk is encrypted, the attacker can’t do much here, the disk just reads like random garbage if the attacker doesn’t know the key to the disk. If your computer is on and the disk is unlocked, then BitLocker can’t protect you, e.g., from malware on your PC.
BitLocker has a two-step encryption mechanism. First, it encrypts the whole disk with a key. This key is never stored in the clear, instead, it is encrypted with another key and stored on disk. The key stored encrypted with another key is called a protector. The clever thing is that BitLocker supports multiple protectors on the same disk, so you can have multiple keys that unlock the same disk. You can also delete these protectors individually, as long as you keep at least one protector. If you would ever delete this last protector (or lose it’s key) then your data is gone for good.
To see which protectors are there, you can use the command line tool manage-bde.
manage-bde -protectors c: -get lists all the protectors of disk C:. To run this, you need an administrator command prompt ( WINDOWS-X , then select terminal (Admin) on Win11)
There are several types of protectors. A simple one is the password protector, it’s key is simply a text password you can type. Another one is the numerical password protector, most disk have one of these. It is sometimes also called a BitLocker Recovery key. When you create a new BitLocker encrypted disk on Windows, it is always created and Windows tries to force you to either store or print it before the actual encryption starts. And here’s the first trick: You can have multiple numerical passwords aka recovery keys for the same disk!
On USB storage devices, a typical secure BitLocker setup would create two protectors, a Numerical Password and a Password. To unlock the disk, you would have to type the password. This setup is also sometimes called BitLocker-to-go as it is often used for removable devices. And here’s the next trick: Encrypt your USB sticks! There is hardly any computer device that more often gets lost, forgotten, stolen, discarded etc. So if you have an usb stick with any type of valuable data on it, encrypt it. Two caveats: 1. There are many embedded devices, mobile phones and other computers that do not know how to deal with BitLocker encryption, from MP3-playing car stereos to photo print-on-demand kiosks at the supermarket. 2. To create a BitLocker to go device, you need at least Windows Professional. Windows Home will not let you create one. But the good thing is that once it’s been created on a Win Pro machine, the Win Home machine will happily unlock it with a password and work with it, read, write, everything. And there are opensource alternatives to BitLocker that don’t have this restriction, more on that later.
On older Windows PCs with BitLocker setup, you may have seen that they also request a password during boot to unlock the disk. This still works but is less common today. Although the disks are all BitLocker encrypted, newer PCs just auto-unlock the disk and boots without any password. How is this possible and is this secure? The way this works is through a device in the computer called Trusted Platform Module, short TPM. When TPMs were introduced, there were a number of conspiracy theories related to the US Government and secret backdoors, but what an actual TPM does is rather simple. It’s a small computer with very limited storage and CPU capacity. When a TPM is manufactured, it creates a few random keys that are unique to this TPM and stores them in a protected storage that can’t be read from the outside directly but can be used by the TPM for some internal encryption and hash operations. There are many ways these operations can be used to prove the identity of a PC or create additional secure keys, but what BitLocker uses is another function, the so called Platform Configuration Registers or PCRs. When the PC boots from its firmware, the firmware computes checksums from itself before it executes and sends these checksums to the TPM. The same happens with every new piece of software loaded during the boot process, i.e., the UEFI, the OS boot loader, the OS kernel and so on. Every time the TPM receives such a checksum, it uses it to compute new values in its PCRs. When some part of the boot process is changed, for example when the PC is booted from an USB stick instead of the disk, the corresponding checksum changes. And the corresponding PCR value changes as well. And since the PCR values start from the unique random keys of the TPM, the PCR values are different on every PC, even if the same software is booted. And this uniqueness is used by BitLocker to create a unique key from the PCR values of your PC and use them to unlock another protector on disk, the TPM protector. As long as nobody tampers with the PC, the PCR values are all computed in the same way on every boot and the BitLocker drive simply unlocks. But if anything changes (e.g. if the attacker boots from a USB stick or tries to boot the disk in a different PC) then the PCR values don’t match and the disk can’t be unlocked. This sometimes happens during failed software updates and that’s why you should have your numerical recovery key around. Next trick: Store your BitLocker Recovery Key where you can find it, you may need it during a failed upgrade! Using the manage-bde command, you can display the recovery key at any time, provided that the unlock via TPM or password was successful. If it wasn’t successful, you may be in trouble.
And that’s where we’re getting to the controversial part. All Windows versions since 8 try to convince you to log in with something called a Microsoft Account, short MSA. You may know this as your outlook.com e-mail address, but it’s also the cloud service that gives you access to the Microsoft Store, OneDrive, other software services like Microsoft 365 aka Microsoft Office. And, since Microsoft introduced a free version BitLocker in easy-to-lose tablet devices for Windows Home called device encryption, it also serves as an automatic backup for the BitLocker recovery keys of your MSA-connected Windows devices. When encrypting a disk with Windows Professional, this is one of the options presented where to store the recovery key. In Windows Home, this is the automatic default for devices that come with device encryption.
Next tip: You can find the recovery keys of your MSA connected Windows devices at https://aka.ms/myrecoverykey The controversial version of the same statement is Microsoft stores recovery keys for BitLocker and has access to these keys!!! OMG!
Given that there are situations where BitLocker auto unlock via TPM will fail, it is imho very prudent for Microsoft to provide a recovery mechanism. But there may be situations where you don’t want this. So here’s the deal: Through the same link above, you can delete the Recovery keys that Microsoft keeps for you. And if you don’t trust Microsoft to actually delete the keys, you can add a second numerical password protector (even on Windows Home!) and then delete the first protector that Microsoft has. It’s all documented, just run manage-bde -protectors c: -add -? and manage-bde -protectors c: -delete -? and the command help will explain how to add and delete protectors.
There is a whole other side of BitLocker when a Windows device is hooked up to an Active Directory or an Azure Active Directory/Azure Entra ID, there are also some very clever ways how additional protectors can be added, recovery keys stored and even rotated by IT departments, but that’s clearly beyond a Saturday evening blog post. And I also need to follow up with a post about opensource alternatives and BitLocker on other operating systems such as Linux.
Hope this helps,
H.
ps: this blog post is dedicated to the memory of Stefan Thom who was the TPM and TCG person at Microsoft until he passed away too early in September 2020. See https://trustedcomputinggroup.org/in-fond-memory-of-stefan-kreisselmeier/ He explained to me most of the things I still remember about TPMs.