Windows Bitlocker and automatic unlock password storage safety
I see you've also posted the same query here and here, and have already received some sort of standard response. Anyway, it's an interesting question and here's what I found. As the BitLocker Drive Encryption in Windows 7: Frequently Asked Questions page states,
Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked.
Of course, this does not apply to you as you are using BitLocker To Go to encrypt removable data drives. For you, the following is relevant:
In Windows 7, you can unlock removable data drives by using a password or a smart card. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements.
Also,
For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking Manage BitLocker. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
and
Removable data drives can be set to automatically unlock on a computer running Windows 7 after the password or smart card is initially used to unlock the drive. However, removable data drives must always have either a password or smart card unlock method in addition to the automatic unlock method.
So now we know how automatic unlocking can be configured for removable data drives, and how such drives can be unlocked on other PCs as well. But what are the keys BitLocker uses, and where are they stored? As the BitLocker Keys section of the Keys to Protecting Data with BitLocker Drive Encryption article states:
The [volume's] sectors themselves are encrypted using a key called the Full-Volume Encryption Key (FVEK). The FVEK, though, is not used by or accessible to users. The FVEK is in turn encrypted with a key called the Volume Master Key (VMK). This level of abstraction gives some unique benefits, but can make the process a bit more difficult to understand. The FVEK is kept as a closely guarded secret because, if it were to be compromised, all of the sectors would need to be re-encrypted. Since that would be a time-consuming operation, it’s one you want to avoid. Instead, the system works with the VMK. The FVEK (encrypted with the VMK) is stored on the disk itself, as part of the volume metadata. Although the FVEK is stored locally, it is never written to disk unencrypted. The VMK is also encrypted, or "protected," but by one or more possible key protectors. The default key protector is the TPM.
So the VMK is again encrypted by one or more key protectors. These can be the TPM, a password, a key file, a data recovery agent certificate, a smart card etc. Now when you choose to enable automatic unlocking for a removable data drive, the following auto-unlock registry key is created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock
Next yet another key protector of type "External Key" is created and stored at that registry location as:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock\{GUID}
The key and metadata to be stored in the registry are encrypted using the CryptProtectData() DPAPI function using the current user's login credentials and Triple DES (OTOH the actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant).
The external key can only be used with the current user account and machine. If you switch to another user account or machine, the FveAutoUnlock GUID values are different.
Related videos on Youtube
18 : 28
02 : 23
03 : 32
02 : 49
04 : 34
ahmd1
Updated on September 18, 2022Comments
-
ahmd1 over 1 year
I've encrypted my external HDD with a Bitlocker and after rebooting computer I tried to open that drive and got this message:
Say, if I pick to "Automatically unlock on this computer from now on", does this mean that Windows will store my password somewhere in the registry?
PS. Or, are they smart enough at Microsoft to store only the hash -- preferably salted?
-
ahmd1 about 11 yearsI appreciate your research, my friend! Unlike that BS answer that I got from the Microsoft forum your answer gives me hope --- that the password cannot be easily reversed back into a text form once it is stored. Thanks again...
-
Karan about 11 yearsYou're welcome, and I wanted to know the answer myself. The security provided should suffice to keep your data safe from the prying eyes of most users. Of course, if you're a secret agent you should probably look into more bullet-proof methods of keeping your data safe. Then again, if you're a spy guess you would have more important things to worry about, such as how to make yourself bullet-proof. ;-)
-
bigmac almost 11 yearsKaran, if you get a chance, would you be able to take a look at the ServerFault post that I have posted at: serverfault.com/questions/520356/…. My question seems like an extension of your answer (using DPAPI to automatically auto-unlock BitLocker FIXED, not removable, volumes). Your input would be greatly appreciated!
-
Miscreant over 3 yearsI don't have a registry key at such location. I do have a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FVEAutoUnlockkey. Trying to open it in Registry Editor results inError Opening Key, Access is denied..
