Auto-Unlock Bitlocker with eDrive (Hardware Encryption)

Self-Encrypting Drive (SED) technology provides verified and certified data security which offers nearly unbreakable pre-boot access protection for user data. Because SED access is pre-boot, there is no possibility of running an OS utility to break authentication codes. Following TCG Opal 2.0 specifications and IEEE-1667 access authentication protocols provide data security which meets government standards for data in banking, finance, medical and government applications. Support for Windows 10 eDrive provides the individual user with simple plug-and-play data security which can protect sensitive personal data, without having to modify BIOS settings, and without having to spend time to encrypt data already in place (as is the case for software encryption methods).

Since Windows 8 Professional, Enterprise, and RT editions all automatically support encryption key management of SEDs. Depends on manufacturer settings, usually and mostly SEDs will support Microsoft’s requirements for eDrive capability. This provides security for data at rest with no loss of throughput performance. In other words, in order to active the password feature, to arm the security system if you will, all it takes in Windows 10 is to enable Bitlocker. While Bitlocker in older Windows Operating Systems does not support SED technology, you can still use Bitlocker like on any other drive, it just won’t take advantage of the benefits of the hardware encryption on the SED. To help users on Windows 7 or other Operating Systems take advantage of the SED ability third-party software vendors, such as Wave Systems, WinMagic, and others provide advanced encryption and authentication management features for Opal 2.0 storage devices.

With SED, it will means that all data is always encrypted by the controller when written to the NAND and decrypted when read. Windows 10 Bitlocker, along with other products, can work with this built-in hardware encryption ability when you apply a password in Windows.

As currently this article been posted, until now there is no way to get Bitlocker Auto-Unlock working if your SSD are using eDrive or Hardware Encryption. We saw same problem with Windows 8.1 Pro and just gave up as it seemed eDrive was not ready, and it appears there is still a problem so I’d thought I’d share the quick fix.

Environment and Steps to Reproduce:

• Windows 10 Professional.
• MSI GT72 6QD Dominator G.
• UEFI Secure Boot is enabled.
• AHCI enabled in BIOS.
• Machine contains 3 SSDs and 1 HDD – one Samsung NVME 960 PRO 512GB, two Crucial MX300 M.2 SATA SSD 1TB, and one HDD WD HGST 1TB.
• Machine is built fresh with Windows 10 being installed to Samsung NVME 960 PRO.
• eDrive (Encrypted Drive) flag is set for both Crucial MX300. (Note: As currently Samsung NVME 960 PRO doesn’t support eDrive IEEE-1667 by Microsoft’s and Samsung still considering to support it in the future).
• Using Disk Management Utility the both Crucial MX300 is initialized and a simple volume created & formatted. So far so good.
• Bitlocker is enabled on the OSD volume. After the Bitlocker check and reboot, also enabled Bitlocker on both Crucial MX300, run cmd as administrator and type

  manage-bde -status

  shows both the Crucial MX300 volume as encrypted using hardware encryption.

• Bitlocker is enabled on the disk – Windows 10 reports is a Fixed Data Disk. This is correct. Auto-Unlock is enabled on the Crucial MX300 disk.

  manage-bde -status

  shows the secondary volume has AutoUnlock as enabled, and the OSD volume shows true for having stored auto-unlock keys.

Problem

Both of Crucial MX300 disk is never auto-unlocked. Logging in as the same user account the disk must be manually unlocked. Clear all Auto-Unlock keys from the OSD volume, delete the Auto-Unlock keys from the secondary volume, recreate them using manage-bde and still the disk must be manually unlocked. There simply is no way to have the fixed disk automatically unlock despite it appearing to be configured correctly.

Notable Observations

• If the second disk is forced to use software encryption by not setting eDrive or not clearing it and going through the secure erase steps, magically Auto-Unlock works as advertised.
• Online search reveals at least one other instance of this exact scenario with no resolution:
  http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/bitlocker-does-not-auto-unlock-fixed-data-drive/b0985818-784f-4d9c-9d4e-d26dbcb38518?auth=1
• It does not matter which disk is used as OSD and which as secondary.
• Problem was previously seen by us over 1 year ago on similar hardware but with Windows 8.1 Pro
• Same issue seen with stock Microsoft provided drivers (nothing else loaded on machine) or with OEM supplied drivers (with the exception of Intel Rapid Storage Technology is NOT being installed, it kills eDrive in other painful ways).

As a workaround recovery key been created in a protected directory on the C: drive of the machine, and create a scheduled task that calls manage-bde -unlock upon startup, this seems to have worked. It’s a bit of a hack that we’re not totally happy with but it allows us to move forward.

1. First, you need to create a .BEK file that can unlock the disk. This is the command we used:

   manage-bde -protectors -add d: -rk c:\

   Substitute “d:” with whichever drive you want to auto-unlock. The output will look something like this (take note of the “external key file name”):

   BitLocker Drive Encryption: Configuration Tool version 10.0.10011
   Copyright (C) 2013 Microsoft Corporation. All rights reserved.
   
   Key Protectors Added:
   
   Saved to directory c:\
   
   External Key:
   ID: {9DDF4900-5E08-479A-8C4C-6ADE2DA00551}
   External Key File Name:
   9DDF4900-5E08-479A-8C4C-6ADE2DA00551.BEK

2. Now you need to create the script to unlock the drive. Just create a batch file in the root directory with the following line:

   manage-bde -unlock d: -rk C:\[external key filename]

   Again, replace d: with the correct drive letter. Replace [external key filename] with the filename you got before.

3. Finally, you need to tell Windows to run this script at startup, before you log in. (Or at least I needed it to run then, because that’s where my desktop, etc. are stored.) Here’s how you do that:
   • Press Win+R and enter gpedit.msc. (This is only in Pro, but so is Bitlocker, so that’s not an issue here.)
   • On the left, navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)
   • Double-click “Startup” on the right
   • Click “Add…” and select the batch file you created before.
   • Click OK and exit Group Policy Editor.
4. Now you can reboot the computer to test it. You should see your drive automatically unlocked!