Sunday, 9 April 2017

System startup script to auto unlock BitLocker encrypted drive

Or, Auto unlock BitLocker encrypted drive without login in windows
Or, BitLocker encrypted drive auto unlock at system reboot
Or, How to setup system startup script in windows machines

Description: If the OS disk is encrypted using BitLocker encryption, TPM PIN or password is prompted at the startup screen and once your enter the required authentication details you are in. The problem is when you have other Data drive encrypted with BitLocker encryption and you have set some password to it.

Every time system reboots, you have to enter the BitLocker password for that drive manually or if you have enable auto unlock, the drive gets unlocked as soon as you logged in with your windows credentials.

Imagine the situation where you have enabled BitLocker encryption for Data drive on some servers and those servers got rebooted due to failures or any reason. Friends, even if you have enabled Auto unlock at that drive, it will not, because to get this auto unlock work, someone should login in the windows.

Scenario: I have a Server, Windows Server 2012 R2 and there are two Drives in this server (C:\OS-Disk and D:\Data-Disk). Data Disk is encrypted with BitLocker encryption (with password) and Auto unlock option is enabled on this disk.

Whenever there is a system reboot, I have to login in the server to make sure the drive is auto unlocked and data is accessible. This auto unlock feature is user based and the user for which this drive is not having auto unlock feature enabled, has to enter the BitLocker password manually to unlock the drive after login in to the windows.

Problem: Whenever there is System failure and no one is available to login in the server, the encrypted data drive will not be unlocked and encrypted data will remain inaccessible until someone login in the server.

Solution/Workaround: We can use manage-bde cmdlets to auto unlock the encrypted data drives at system startup. Even if no one login in the server, the drives will be auto unlocked at the startup whether it is system’s expected or unexpected reboot.

Prerequisites:
BitLocker Recover Key (exported at the time of encryption)
Administrative access on the server to edit the local system policy (gpedit.msc)
Basic knowledge of local group policy and .bat script.

Steps: Setting up Data drive auto unlock at system startup

Open the BitLocker Recovery Key file and Copy the 48 digit Recover Key.
Prepare a small .bat script using below command example:

@echooff
manage-bde -unlock D: -RecoveryPassword xxxxxx-xxxxxx- xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

Copy and paste the above command in a Notepad file and Save as .bat file extension. Replace the XXXXXX 48 digit key with your Encrypted data drive’s Recovery key.
In my case, the script file name is test.bat

Now, on the local server, go to Run and open gpedit.msc














Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Click on Startup













From the Startup properties, Click on Show Files…

























This will take you to the path where startup scripts are kept. Paste your .bat file here. In my case, its test.bat.








Now again go to the Startup Properties > Click on Add

























Click Browse














Select the .bat script file > Click on Open > Click OK


















Click on Apply > Click on OK

























That’s it, you are done with setting up auto unlocking of BitLocker encrypted data drive.

Updated: 07/05/2017
IMP Note: Even if bitlocker is not supported for bootable OS disk of Virtual Machines, you can still encrypt the bootable drives of VMs if you wish to. Startup password prompt and drive unlocking functionalities will be same as hardware based computers.

Cheers, please write me back if you have any query or feedback on this.

6 comments:

  1. thank you for this post!! i've taken your idea and made it more secure by using autoit to create .exe that in turn runs upon startup via gpedit/startup scripts :)

    ReplyDelete
    Replies
    1. Thats Great..Thanks a lot for your feedback, input and improvement efforts.. Appreciate it..

      Delete
  2. Sorry, but this info is wrong. Auto-unlock is per system, not per user. Other protectors (SID-protectors) are per user, but not this one. Simply use autounlock (yes, we use it ourselves that way on multiple server 2012 R2). No need for action.

    ReplyDelete
  3. Hey Bernd, Thanks for writing me back.. Auto unlock is per system only for OS drive (not for data drive e.g D:\). Encrypted data drive auto-unlock works per user profile.

    In this article, the workaround is explained about Data drive (D:\ Or E:\ etc..).

    If the data disk is encrypted and a user-1 have set the drive setting to auto unlock, whenever server reboot take place the encrypted data drive will be unlocked only when the user-1 will login to the server. And this practice has to be repeated on every reboot.

    Imagine, if User-1 is not available when server reboot was done?? Yes, available User-2 will try to login in to the server but the data drive will not be auto unlocked. User-2 will have to unlock it manually and then set the drive auto-unlock option for his/her profile as well so that from next reboot onward user-2 can also enjoy the auto-unlocking of encrypted data drive.

    Just my re-assurance I have tested this function in lab again and it is exactly what I explained in this article.

    Thanks Again for your valuable inputs..

    ReplyDelete
  4. Auto-unlock functions as Bernd says only if the OS disk is encrypted. On physical hardware which contains a TPM module, it works without user intervention - in virtual machines (specifically ESX, hyper-v allows the TPM module to be emulated) you cannot encrypt the OS disk without requiring a USB key or password entered on boot.

    Using Bitlocker to encrypt the data drive without the system drive encrypted requires the workaround described here.

    ReplyDelete
    Replies
    1. Hi Nathan, Thanks for your valuable inputs.

      Delete