0

I don't get how "automatically unlock" Bitlocker feature works on Windows 10. I have a main SSD with OS installed in it that's encrypted with bitlocker and another drive encrypted with bitlocker that automatically unlocks itself at boot.

I read in the documentation that a drive set to unlock automatically "can be unlocked only when the main OS drive is locked with bitlocker too". This looks like that it can be unlocked with whatever other main OS drive encrypted with bitlocker and not only with my own main OS drive. Does this then mean that i can put my data drive on another PC using bitlocker (on the main OS drive) and it will again automatically unlock there too?

This wouldn't make any sense at all to me but it looks like so. There is no indication saying that the couple "OS drive" and "automatically unlocked drive" is unique and it's somehow tied in some way. Is it unsafe then to unlock the drive automatically? Is there any safer way to lock it?

tasty_tortilla
  • 13
  • 2
  • `Does this then mean that i can put my data drive on another PC using bitlocker (on the main OS drive) and it will again automatically unlock there too? This wouldn't make any sense at all to me but it looks like so.` No it does not. – Greg Askew Jul 29 '23 at 23:19
  • 1
    To expand on Greg Askew: though there is no indication, it is still true that the unique key to the "automatically unlocked" drive is buried in the OS drive. – tsc_chazz Jul 30 '23 at 00:53

1 Answers1

1

Does this then mean that i can put my data drive on another PC using bitlocker (on the main OS drive) and it will again automatically unlock there too?

No, because the other PC can't guess the decryption key.

In fact, when you enable auto-unlock, BitLocker will store a key specifically for this Data drive somewhere in the main OS volume, Windows will use this key later to unlock the Data drive.

Windows is able to auto-unlock the Data Drive because the key it needs to unlock this Data drive is stored on the main OS volume.

So, a random computer will not be able to auto-unlock your Data drive because this computer will not have the key it needs to auto-unlock the drive on its OS volume.

That's what the documentation says:

You can configure BitLocker to unlock mounted data volumes automatically during startup, without human interaction. BitLocker accomplishes this by encrypting a data volume's volume master key with an external wrapping key, and then storing a plaintext copy of the external wrapping key in the registry of the encrypted operating system volume

Swisstone
  • 6,725
  • 7
  • 22
  • 32