none
BitLocker Unlock drives on boot RRS feed

  • Question

  • I am new to BitLocker. I have some sensitive data on a customers server and have encrypted the drive with BitLocker. I ideally want to unlock the drive on boot so I am using this script to run using Task Scheduler on startup:

    cscript C:\Windows\System32\manage-bde.wsf -unlock m: -recoverypassword RECOVERYPASSWORD

    Is this defeating the point of having BitLocker because the recovery password is stored there in plain text? Is there another way of securely unlocking the drive on boot? 

    Thanks

    Dave


    Tuesday, November 24, 2015 9:23 AM

Answers

  • Hi Dave,

    The "auto unlock" relay on encrypting system drive as you said, which is for security reason. We must input a PIN/Smart card etc to unlock or it will lose the meaning of using Bitlocker.

    To answer your question. If you use a script with a password in plain text, any user who can log on that computer could get the file and unlock the drive. Or if someone can plug off the hard disk and connect to another computer, the file is also unsafe. 


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Triumphtech Monday, November 30, 2015 12:30 PM
    Thursday, November 26, 2015 4:30 AM
    Moderator

All replies

  • Hi Dave,

    Bitlocker support auto unlock if it is not the system volume. When we unlock system volume, it will automatically unlock the volume you set.

    This means you need to encrypt system volume first, which means you still need to type a password in boot-up. You can however set to start with a USB flash drive to help boot-up automatically. 

    Enable-BitLockerAutoUnlock -MountPoint "E:"

    https://technet.microsoft.com/en-us/%5Clibrary/jj649838(v=wps.630).aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, November 25, 2015 9:22 AM
    Moderator
  • Thanks for the response. Are you saying I can only auto unlock my data drive if I am encrypting system drives too. I don't really want to encrypt my system drives. 

    These are VMs so a flash drive probably wont help me here or do I have that wrong? 

    Can you answer my question though as to whether my current unlock method is unsecure?

    Thanks

    Dave

    Wednesday, November 25, 2015 4:46 PM
  • Hi Dave,

    The "auto unlock" relay on encrypting system drive as you said, which is for security reason. We must input a PIN/Smart card etc to unlock or it will lose the meaning of using Bitlocker.

    To answer your question. If you use a script with a password in plain text, any user who can log on that computer could get the file and unlock the drive. Or if someone can plug off the hard disk and connect to another computer, the file is also unsafe. 


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Triumphtech Monday, November 30, 2015 12:30 PM
    Thursday, November 26, 2015 4:30 AM
    Moderator