Bitlocking Virtual Hard drives.

cereberus · Apr 14, 2023

This is just an observation, not a plea for help.

I install Insider versions initially in a Hyper-V vm, and then attach vhdx to host bcd so I can natively boot vhdx file as well.

So I thought - how does bitlocker work with vhdx files.

My vms have the Hyper-V TPM enabled.

So I booted into a W11 vhdx file and encrypted C drive saving bitlocker key to a host drive.

Rebooted vm, and boots fine (no password needed as vm uses Hyper-V TPM).

I then tried to natively boot vhdx and it would not boot requiring recovery key. I am not surprised as the password is not in host pc TPM.

Equally same happened in reverse if I bitlocked C drive on vhdx m when natively host booting.

As far as I can tell it is impossible to bitlock a C drive partition so it automatically unlocks when booting from either host OS or Hyper-V.

This rather proves the TPM in Hyper-V is a full separate software TPM, not just a software passthrough to actual Host TPM.

jimbo45 · Apr 14, 2023

cereberus said:
This is just an observation, not a plea for help.

I install Insider versions initially in a Hyper-V vm, and then attach vhdx to host bcd so I can natively boot vhdx file as well.

So I thought - how does bitlocker work with vhdx files.

My vms have the Hyper-V TPM enabled.

So I booted into a W11 vhdx file and encrypted C drive saving bitlocker key to a host drive.

Rebooted vm, and boots fine (no password needed as vm uses Hyper-V TPM).

I then tried to natively boot vhdx and it would not boot requiring recovery key. I am not surprised as the password is not in host pc TPM.

Equally same happened in reverse if I bitlocked C drive on vhdx m when natively host booting.

As far as I can tell it is impossible to bitlock a C drive partition so it automatically unlocks when booting from either host OS or Hyper-V.

This rather proves the TPM in Hyper-V is a full separate software TPM, not just a software passthrough to actual Host TPM.

Just a remark on TPM in addition to your post and nothing to do with how bitlocker works or doesn't work with vhdx files etc.

You can install both on GUESTS and HOSTS the additional optional extra feature TPM diagnostics. This *might* be of some use for people wanting to explore etc what the TPM can actually do and what its capable (or not capable) of.

My own view is that this whole TPM thing based on a chip now at least 15 years old isn't the best way of ensuring security whether hardware or software based schemes. Compared to most other hardware advances e.g in video/graphics, CPU itself, SSD/NVMe technology, even boring things like routers the TPM device is positively ancient (and if Ms didn't dredge this up from somewhere for its W11 implementation I'm sure it would be long gone by now).

Even Ms on its own Forums doesn't have any sensible examples of a serious TPM use or application.

Cheers
jimbo

Hopachi · May 8, 2023

cereberus said:
This rather proves the TPM in Hyper-V is a full separate software TPM, not just a software passthrough to actual Host TPM.

Thanks for mentioning this interesting find.

A separate TPM for each VM makes sense if they don't state anywhere that 'passthrough' is used.
And logical if each VM is treated as unique, you expect that each VM TPM has its own unique random generator for the creation of its own cryptographic keys.

I'm just noting this from findings, and I am in NO case an expert in crypography or TPM for that matter.