Jump to content











Photo
- - - - -

Any Bitlocker gurus out there?


  • Please log in to reply
6 replies to this topic

#1 Rootman

Rootman

    Frequent Member

  • Advanced user
  • 361 posts
  • Location:USA

Posted A week ago

My company started using Bitlocker using a PIN to unlock the OS partition.  I often have to boot to my WinPE via a USB stick and of course the bitlocker crypted C: partition is not accessible. My WinPE envornment does have the manage-bde command.  It works with the recovery key (see below). 

 

If I remember to turn off the bitlocker within the running OS before I boot to WinPE I am fine.  I have a series of scripts I keep on my USB sticks to do just that.

manage-bde -protectors -disable C: -rebootcount 15

This will unlock the OS partition for 15 reboots, I can then reboot to my WinPE stick and all is cool, I can see the C: drive.

 

However I'd like to be able to unlock the bitlocker crypted OS from within WinPE as well, sometimes I forget to unlock first, sometimes it's just a PITA to boot twice, once to the full OS to turn BDE off, then again to the WinPE.  This seems to be a problem.

manage-bde -unlock C: pw

After I put in the correct PIN the command above does not work, it says the password isn't correct.  I am assuming this is because we use a PIN?  I can use the -recoverypassword option but this is 32 digits and I have to look it up every time.  I have dozens of laptops I am responsible for. 

 

Does anyone have a clue if this is possible to unlock from WinPE with a PIN?



#2 AnonVendetta

AnonVendetta

    Silver Member

  • Advanced user
  • 778 posts
  • Location:A new beginning.....
  • Interests:Self-development, computing

Posted A week ago

Don't know if I've said this before, but if you're going to use BitCrook, you might as well book a flight to Fort Meade and hand over an envelope with your creds in it. I honestly do believe it's backdoored. Or, if it's not, MS will give the NSA on demand access whenever they request it. Seriously, there's way better and more trusted encryption solutions out there. BitLocker's only real advantage is that it's built into Windows.

 

Any company that uses this POS FDE deserves to go out of business.



#3 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15386 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 6 days ago

AFAICR, the pin (+TPM) normally applies to "system" (what MS would call "boot") volume while booting to it.

 

The manage-bde unlock coomand does have a -pin option (of course un- or under-documented):
https://docs.microso...nage-bde-unlock

but that refers to a different kind of pin, the certificate one.

 

So in theory, you could have dozens of certificates (one per machine) all protected by the same (certificate) pin.

 

The pin (+TPM) has nothing actually to do with encryption, it is a pre-boot check that avoids to retrieve the credentials form the same volume at boot, or if you prefer, if you don't provide the pin the TPM will do nothing.

 

:duff:

Wonko 



#4 AnonVendetta

AnonVendetta

    Silver Member

  • Advanced user
  • 778 posts
  • Location:A new beginning.....
  • Interests:Self-development, computing

Posted 6 days ago

@Wonko: I know about the TPM, my board has one built in. But I keep it disabled in BIOS. I'm assuming it's mainly useful for those who intend to use BL. I simply don't trust the concept of a TPM, I'll stick with my complex and ridiculously long passwords.

I will assert again that any business using BL doesn't deserve to stay in business. If you're not giving your info out to 3 letter agencies, then you're certainly giving it to the Chinese, I bet they know how to hack a TPM remotely. They're in the business of stealing everyone's info anyway. They gave the world this fucking virus too. Not to mention stealing jobs and shitting on the global markets. Good thing I'm not president, I'd give them a little gift and nuke them to high heaven. People would beg for Trump to return if it meant getting rid of me.

#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15386 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 6 days ago

I will assert again that any business using BL doesn't deserve to stay in business. 

Your opinion, BTW unasked for, has been duly recorded.

 

And quite frankly I am not interested in how you set your TPM.

 

My reply was targeted at the OP question.

 

It would be nice if you could keep political views out of reboot.pro, which is a technical board, or at least post them outside the strictly technical areas, this:
http://reboot.pro/fo...ommunity-forum/

might do.

 

:duff:

Wonko



#6 Rootman

Rootman

    Frequent Member

  • Advanced user
  • 361 posts
  • Location:USA

Posted 6 days ago

Well, thanks Wonko, Further investigation reveals no way to open the OS volume using the PIN using the manage-bde command.  There are ways to change the PIN, but apparently none on how to open the volume using it.  I suspect since it was not actually booted via the OS on disk it can't be done.  I can still do the -recoverypassword option, it's just a bunch of typing!

 

I mainly run into the issue when a user has OS issues.  I pop my WinPE USB drive in and boot to it and run a chkdsk and some scripts to delete temp and swap files.  I just can't do that without first disabling protectors on the OS.  Not a big issue but it sure would be nice to do it from the command line when I already know the PIN.  Like many thing MS likes to make things irritatingly difficult. 

 

I do not use BDE personally, but my company elected to use it. I had no choice in the matter.  While AnonVendetta certainly has the right to spout off his ageenda, I too ask that you tone it down to keep Reboot.pro a friendly place. There are millions of BDE users out there.  It is what it is.  



#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15386 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 6 days ago

 I suspect since it was not actually booted via the OS on disk it can't be done.  I can still do the -recoverypassword option, it's just a bunch of typing!

Exactly, as said:

 

The pin (+TPM) has nothing actually to do with encryption, it is a pre-boot check that avoids to retrieve the credentials form the same volume at boot, or if you prefer, if you don't provide the pin the TPM will do nothing.

 

Still, you could have certificates for all the machines stored on your USB stick, all of them protected by a same PIN.

 

Would it be a possible security risk?

 

Sure, if you lose your USB stick AND the PIN protecting the certificates is known.

 

If you think about it is anyway probably more secure than the *whatever* you use now to keep the passwords for the various laptops, unless it is a sort of password manager stored on the same USB stick (but if this is the case, then most password managers allow copy/paste). :dubbio:

 

:duff:

Wonko






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users