locked
Encrypting a VHD/X using Powershell Commands RRS feed

  • Question

  • Hi!
    I have been trying to create an encrypted container using VHD/X and BitLocker for a Desktop App that I'm developing. The thing here is I have been trying to encrypt a VHD/X using a Powershell Console (With elevated permissions), but I can't find a way to do this.
    I checked a lot of online pots and even the Microsoft documentation (
    https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps) to do this, but I keep getting errors that I can't find info about it

    These are commands that I have been trying to use:

    PS C:\> $pass= ConvertTo-SecureString "Passw0rd" -AsPlainText -Force

    PS C:\Windows\system32> Enable-BitLocker -MountPoint "E:" -EncryptionMethod Aes256 -UsedSpaceOnly -Password $pass

    PS C:\Windows\system32> Enable-BitLocker -MountPoint E:\ -EncryptionMethod Aes128 -Password $pass -PasswordProtector
    
    Add-PasswordProtectorInternal : This key protector cannot be added. Only one key protector of this type is allowed for this drive.
    (Exception from HRESULT: 0x80310031)
    At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2091 char:31
    + ...   $Result = Add-PasswordProtectorInternal $BitLockerVolumeInternal.Mo ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Write-Error], COMException
        + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-PasswordProtectorInternal

    Also, I get this output:

    Enable-BitLockerInternal : Value does not fall within the expected range.
    At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3733 char:48
    + ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Write-Error], ArgumentException
        + FullyQualifiedErrorId : System.ArgumentException,Enable-BitLockerInternal

    Command that I used to create the VHD/X (This command works perfectly):

    $vhdpath = "D:\TestWinApp\EncryptedStorage\test.vhd"
    $vhdsize = 20GB
    New-VHD -Path $vhdpath -Dynamic -SizeBytes $vhdsize | Mount-VHD -Passthru |Initialize-Disk -Passthru |New-Partition -AssignDriveLetter -UseMaximumSize |Format-Volume -FileSystem NTFS  -NewFileSystemLabel 'Test1' -Confirm:$false -Force

    If I turn on BitLocker using "BitLocker Drive Encryption" in control panel or right click over the mounted drive using the file explorer, everything works pretty okay, but I want to do this using Powershell with commands (Without asking any input).

    I'm sorry if this is not the right place to ask this, I didn't find another forum related <g class="gr_ gr_17 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="17" id="17">with</g> Powershell.

    PD: Sorry for putting the link in that way, I can't insert links, looks like I'm not a verified account

    Thanks for any advice!



    Saturday, March 9, 2019 8:53 PM

All replies

  • It appears to already be encrypted.  VHDs and VHDX files are encrypted.   You cannot re-encrypt them.


    \_(ツ)_/

    Saturday, March 9, 2019 9:41 PM
  • Hi, thanks for replying!

    VHD\X can be encrypted using BitLocker, actually, when you mount one VHD\X by double-clicking them or using PowerShell or any other tool and then you open the file explorer, you can right-click over the drive and enable BitLocker there.

    Before encrypting(E: is a VHDX):

    PS C:\Windows\system32> get-bitlockervolume ComputerName: VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector Point Percentage

    ---------- ----- ---------- ------------ ---------- ------------ OperatingSystem C: 237.08 FullyEncrypted 100 {Tpm, RecoveryPassw... Data D: 931.51 FullyEncrypted 100 {RecoveryPassword, ... Data E: 19.98 FullyDecrypted 0 {}



    Same Powershell command after enabling BitLocker using GUI  ("Get-<g class="gr_ gr_14 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="14" id="14">BitLockerVolume</g>"):

    PS C:\Windows\system32> get-bitlockervolume ComputerName: VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector Point Percentage

    ---------- ----- ---------- ------------ ---------- ------------ OperatingSystem C: 237.08 FullyEncrypted 100 {Tpm, RecoveryPassw... Data D: 931.51 FullyEncrypted 100 {RecoveryPassword, ... Data E: 19.98 FullyEncrypted 100 {Password, Recovery...

    The problem with the VHD\X files are the I can mount and access data in any computer, so I copy can copy the VHD\X file and mount it in any other computer without problems and access the data. With BitLocker enabled, I can mount but I will not be able to access data inside without entering the password.

    That's essentially what I want to do, enable BitLocker using Powershell, but I keep getting the output I shared in the first post.


    Thanks for taking the time to reply!


    Monday, March 11, 2019 1:15 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Tuesday, April 9, 2019 1:33 PM