BitLocker Drive Encryption is a feature of Windows Vista Ultimate and Windows Server 2008, which offers full disk encryption on the level of logical volumes (e.g., C:). As it uses AES 128 by default and the only publicly known way to defeat programs like BitLocker or TrueCrypt (if properly configured) is the famous (but easily preventable) cold boot attack, I’d really recommend using it if you are not a follower of the “Microsoft is pure evil” cult. Needless to say, even the strongest disk encryption is only as good as the password or key mechanism you use. In the following, I will describe a little-known option which was introduced with Service Pack 1 for Vista and massively aggravates attacks based on keyloggers or stolen USB sticks.
Most likely, someone who wants to get hold of your encrypted data will neither try to break the encryption algorithm nor its implementation. Instead, he will try to defeat the authentication mechanism by eavesdropping your password (“what you know”) or stealing your physical key (“what you have”). In its initial version, BitLocker forced you to choose between TPM only, TPM + PIN, TPM + USB Key or USB Key only. So it was either something you knew (your PIN) or something you had (your USB key) which protected your data and made BitLocker decrypt your volumes on the fly as you booted your computer.
To the great relief of any paranoid encryption junkie, Microsoft decided to add another mode, which requires TPM + PIN + USB Key to start up your computer. This feature was introduced with Service Pack 1 for Vista and makes it really hard for an attacker to get hold of your authentication details if you don’t write your PIN on your USB stick or get “questioned” by someone with a blow torch and a pair of pliers.
So how does it work? Well, although there is no GUI option for this new mode, it’s surprisingly simple to activate:
- Click on the Vista logo / start button.
- Type cmd in the search box and do NOT hit enter.
- Right-click on the command prompt item (cmd.exe) and select “Run as administrator” from the context menu.
- Enter cscript manage-bde.wsf -on c: -rp -rk d: -tpsk -tp 1234567 -tsk e: and hit enter.
(“c:” is the drive which you want to encrypt / your OS volume; “d:” is the drive where the recovery key will be stored at; “1234567” is your secret PIN, which can consist of up to 20 digits; “e:” is your USB key.)
- Write down the recovery password and hide it at a SAFE location (e.g., under your keyboard
).
- Type exit and hit enter.
- DONE!
That’s it! I’d strongly recommend leaving your computer in peace until BitLocker has finished encrypting your drive, although the manual states that you can even reboot without causing any trouble. Well, I’m not exactly sure that an accidental BSOD (Blue Screen of Death) caused by your favorite first-person shooter won’t interfere with the encryption process…
Upon the next reboot, you will be asked for your secret PIN and the USB key, providing you with the maximum level of authentication-based security which BitLocker has to offer at the moment.
1 User viewing this page. (1 Guest)
l0rd: You save me tens of minutes searching and reading manual for the correct syntax and...
Vad: is it possible to exclude a certain file in protected directory?
Truden: Not sure that this is true:), but thanks for a post. Truden
Loading ...
Doesn’t seem to work. Error:
ERROR: There was an error while trying to protect the volume with a TPM and a
PIN and a Startup Key. (code 0×80310004)
Have you tried a different combination of protectors like TPM + PIN to narrow down the problem?
nkaka asar tong bitlocker na 2. wala kz akong vista installer kaya diko ma remove ang bitlocker
I guess your comment was written in Filipino but unluckily the translation produced by Google doesn’t make any sense to me.
In case you asked for help relating Bitlocker, please re-write your question in English and I’ll do my best to answer it.
How does one add an additional protector to an existing Bitlocker installation?
All the MS documentation I’ve seen relating to Bitlocker with TPM states you can have:
* TPM
* TPM + PIN
* TPM + Startup Key
but not
* TPM + PIN + Startup Key
See http://technet.microsoft.com/en-us/library/cc766295.aspx
“On the Set BitLocker startup preferences page, select the startup option you want. You can choose only one of these options:
* No additional security.
* Require PIN at every startup. You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.
* Require Startup USB key at every startup. You will see the Save your Startup Key page. Insert your USB flash drive, choose the drive location, and then click Save.”
Obviously some of those concerned about security would want maximum protection (that is: “TPM + PIN + Startup Key”). Microsoft should enable this as an option in the Bitlocker setup (or at least provide instructions on how to enable this so that it is a supported option).
1.) Make sure there is a recovery password for your encrypted OS volume!
2.) Use the command cscript manage-bde.wsf -protectors -delete c: (with appropriate parameters!) to remove the old “TPM + PIN / Startup Key” protector.
3.) Add a new protector via cscript manage-bde.wsf -protectors -add c: -tpsk -tp 1234567 -tsk e: (”c:” is your OS volume, “1234567″ the new password and “e:” your usb stick).
Here’s an update on this:
I followed the aforementioned instructions carefully.
** THE 1ST COMMAND:
cscript manage-bde.wsf -protectors -delete X:
Resulted in the following:
Volume C: [VistaOS]
All Key Protectors
TPM And Startup Key:
ID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
External Key File Name:
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.BEK
Recovery Key:
ID: {YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}
External Key File Name:
YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY.BEK
Numerical Password:
ID: {ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZZZZZ}
Password:
NNNNNN-NNNNNN-NNNNNN-NNNNNN-NNNNNN-NNNNNN-NNNNNN-NNNNNN
Key protector with ID “{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}” deleted.
Key protector with ID “{YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}” deleted.
Key protector with ID “{ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZZZZZ}” deleted.
NOTE: Key protectors have been disabled on volume C: to allow continued access to BitLocker-encrypted data.
Type “manage-bde -protectors -enable C:” to re-enable any new key protectors that are added.
** THE 2ND COMMAND:
cscript manage-bde.wsf -protectors -add X: -tpsk -tp 1234567 -tsk E:
Resulted in the following:
Key Protectors Added:
TPM And PIN And Startup Key:
ID: {AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA}
External Key File Name:
AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA.BEK
Saved to directory e:
After reboot I found that BitLocker remained off and so via the Control Panel I re-enabled it. After another reboot I can confirm that I was asked for the PIN and for the USB startup key. Thanks for that!
However, the aforementioned actions created a new problem: I’m now unable to create and thus save a recovery key. This means that if I ever have PC trouble and need to move that c: drive to another machine for data recovery, I’m unable to.
From Control Panel, if I go to “Manage BitLocker Keys”, I receive a dialog box “Select Keys to Manage”, however there’s an additional message “There are no keys to duplicate for this volume.”
This is a real worry.
I rebooted again to see if I could go into BitLocker Recovery Mode (in an effort to see if my previous “Numerical Password” might be accepted – but it cannot be entered as now the machine fails to enter Recovery Mode.
Instead, it enters “Windows Boot Manager” with information:
Files: Windowssystem32winload.exe
Status: 0XC0210000
Info: The action could not be completed because the BitLocker Drive Encryption key required to unlock the volume could not be obtained.
An online search for these error messages reveals very little of assistance. Exiting from Boot Manager allowed me to successfully enter the PIN and startup key as per normal.
I’m convinced that there’s an easy fix for this – it’s just a matter of finding what that is.
Do you know why I now have no Recovery Password or how I might generate one? It’s too much of a data loss risk to not have a recovery password.
Thanks in advance for any assistance you may be able to provide.
Another point, your suggestion in (1):
1.) Make sure there is a recovery password for your encrypted OS volume!
This is great, however, once you submit (2) the protectors will be deleted.
2.) Use the command cscript manage-bde.wsf -protectors -delete c:
Thus the recovery password would be of no use.
A better way would be:
cscript manage-bde.wsf -protectors -delete c: -Type TPMAndStartupKey
cscript manage-bde.wsf -protectors -add c: -TPMAndPinAndStartupKey
Thanks to Matthias and to the Microsoft employee who assisted me with this.
The understanding I’ve gained today about how BitLocker operates has grown exponentially.
Resolved this by way of:
cscript manage-bde.wsf -protectors -add c: -recoverypassword
Hi
I have problem when i finish the cscript that part then restart and will ask me key in password and my usb key then it will start to encrypt auto and i wait until finish after that i restart again it not asking me key in my password only my usb key is able to login into windows. Can help..
Thanks
Here is my command
1..cscript manage-bde.wsf -protectors -delete c: (to delete the all key 1st)
2..cscript manage-bde.wsf -protectors -add c: -tpsk -rp -rk e: -tp 123456 -tsk e: (add recovery key + Pin no + Usb Key)
3. Go to control panel and turn bitlocker on and restart.
4.When restart it not asking me to key in the tpm pin it detect my usb start up key and login into windows. <——
If use cscript manage-bde.wsf -protectors -add c: -tpsk -tp 123456 -tsk e: (Only use Pin + Usb Key dont have recovery password) tested work so far.
Why i cannot utilize TPM+Pin+Usb Key as mention?. Can pls help. Thanks.
I am looking for a resource to unlock a locked bitlocker portable usb drive that I have the key for. Unfortunatley there was a series of errors when the bitlocker driver was trying to write metadata onto the drive. Due to this using the bitlocker decryption is of no use.
I have found several articles pertaining to decrypting it manually but have no knowledge on this.
Any and all help you can provide would be helpful.