Windows Bitlocker and automatic unlock password storage safety


Super User is a question and answer site for computer enthusiasts and power users. Join them; it only takes a minute: Sign up


Here's how it works:

Anybody can ask a question

Anybody can answer

The best answers are voted up and rise to the top

Windows Bitlocker and automatic unlock password storage safety

I've encrypted my external HDD with a Bitlocker and after rebooting computer I tried to open that drive and got this message:

Say, if I pick to "Automatically unlock on this computer from now on", does this mean that Windows will store my password somewhere in the registry? PS. Or, are they smart enough at Microsoft to store only the hash -- preferably salted? windows-7 windows passwords encryption bitlocker asked Mar 6 '13 at 6:59

ahmd1 528




1 Answer

I see you've also posted the same query here and here, and have already received some sort of standard response. Anyway, it's an interesting question and here's what I found. As the BitLocker Drive Encryption in Windows 7: Frequently Asked Questions page states, Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. Of course, this does not apply to you as you are using BitLocker To Go to encrypt removable data drives. For you, the following is relevant: In Windows 7, you can unlock removable data drives by using a password or a smart card. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. Also, For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking Manage BitLocker. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. and Removable data drives can be set to automatically unlock on a computer running Windows 7 after the password or smart card is initially used to unlock the drive. However, removable data drives must always have either a password or smart card unlock method in addition to the automatic unlock method. So now we know how automatic unlocking can be configured for removable data drives, and how such drives can be unlocked on other PCs as well. But what are the keys BitLocker uses, and where are they stored? As the BitLocker Keys section of the Keys to Protecting Data with BitLocker Drive Encryption article states: The [volume's] sectors themselves are encrypted using a key called the Full-Volume Encryption Key (FVEK). The FVEK, though, is not used by or accessible to users. The FVEK is in turn encrypted with a key called the Volume Master Key (VMK). This level of abstraction gives some unique benefits, but can make the process a bit more difficult to understand. The FVEK is kept as a closely guarded secret because, if it were to be compromised, all of the sectors would need to be re-encrypted. Since that would be a timeconsuming operation, it’s one you want to avoid. Instead, the system works with the VMK. The FVEK (encrypted with the VMK) is stored on the disk itself, as part of the volume metadata. Although the FVEK is stored locally, it is never written to disk unencrypted. The VMK is also encrypted, or "protected," but by one or more possible key protectors. The default key protector is the TPM. So the VMK is again encrypted by one or more key protectors. These can be the TPM , a password, a key file, a data recovery agent certificate, a smart card etc. Now when you choose to enable automatic unlocking for a removable data drive, the following auto-unlock registry key is created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock

Next yet another key protector of type "External Key" is created and stored at that registry location as: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock\{GUID}

The key and metadata to be stored in the registry are encrypted using the CryptProtectData() DPAPI function using the current user's login credentials and Triple DES (OTOH the actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant). The external key can only be used with the current user account and machine. If you switch to another user account or machine, the FveAutoUnlock GUID values are different. answered Mar 7 '13 at 1:31

Karan 46.2k




I appreciate your research, my friend! Unlike that BS answer that I got from the Microsoft forum your answer

gives me hope --- that the password cannot be easily reversed back into a text form once it is stored. Thanks again... – ahmd1 Mar 7 '13 at 6:34

You're welcome, and I wanted to know the answer myself. The security provided should suffice to keep your

data safe from the prying eyes of most users. Of course, if you're a secret agent you should probably look into more bullet-proof methods of keeping your data safe. Then again, if you're a spy guess you would have more important things to worry about, such as how to make yourself bullet-proof. ;-) – Karan Mar 7 '13 at 6:42

Karan, if you get a chance, would you be able to take a look at the ServerFault post that I have posted at:…. My question seems like an extension of your answer (using DPAPI to automatically auto-unlock BitLocker FIXED, not removable, volumes). Your input would be greatly appreciated! – bigmac Jul 3 '13 at 20:43

protected by Community © Sep 8 '15 at 17:50 Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count ). Would you like to answer one of these unanswered questions instead?


Windows Bitlocker and automatic unlock password storage safety

Super User is a question and answer site for computer enthusiasts and power users. Join them; it only takes a minute: Sign up _ Here's how it works:...

177KB Sizes 1 Downloads 13 Views

Recommend Documents

PCUnlocker - Unlock Windows Password, Reset Windows Password
PCUnlocker is powerful Windows password-unlocking software to reset lost Windows local administrator, domain administrat

BitLocker How to enable Network Unlock (Windows 10) | Microsoft Docs
Apr 19, 2017 - Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to b

Password Reset Key 2.0, Reset, Recover and Unlock Tool/ Windows Reset including *. +. WINDOWS PASSWORD RESET & REMOVAL T

BitLocker Recovery - Unlock a Drive in Windows 8 - Windows 8 Forums
Mar 3, 2013 - How to Unlock a Drive using BitLocker Recovery in Windows 8 and 8.1 Information There are several reasons

Account Unlock via Windows Logon
Self Password Reset/Account Unlock via Windows Logon screen while adhering to Active Directory Password Policy to ensure

How to unlock a BitLocker encrypted flash drive in Windows | Digital
Jun 8, 2017 - When using a BitLocker To Go encrypted drive, here's how to unlock your data, so that you can use it like

Unlock BitLocker Encrypted Drive From WinPE the Secure Way
Oct 12, 2016 - I have seen several blog posts on how to unlock a BitLocker encrypted drive from Windows PE, using the re

Secure Storage for Windows
Secure Vaults appear as local drives to all Windows applications. Unlock vaults located on remote computers over LAN. Sh

How to Unlock App Lock Without Password
May 5, 2016 - ... how to generate amazon giftcard · how to get 10 rs paytm · how to get jio sim · how to increase jio pr

Windows password unlocker usb |
As estruturas bacterianas visualizadas podem sugerir alguns gêneros bacterianos: Cocos Gram positivos agrupados Staphyl