Solved Minor Bitlocker Weakness

So I had a bitlocked partition on 1 PC and found a simple way I could recover the partition to another PC and files on new PC are not bitlocked.

I am being deliberately vague about how I did it but it was very simple (do not want to encourage hackers).

My point is not how I did it, but the fact it was so easy, makes bitlocker effectively useless!



If I ever lose my bitlocker passwords, I can decrypt file WITHOUT any security or password. So much for AES256 (or whatever they are) algorithms!

The only point in doing it is if pc gets stolen, the average bone-head would not know how to do it LOL.

EDIT: I was using Macrium Reflect, and it turns out you can only unlock a volume using usb drive created on same device. If you try it using drive created on another PC it can only copy as bitlocked. It is advisable to not select option to automatically unlock bitlocker if you carry Macrium Reflect USB drive with a bitlocked laptop.

So what I called Major is now renamed Minor in title LOL.

Frankly, I think you haven't set up BitLocker correctly.

Haydon said:

Frankly, I think you haven't set up BitLocker correctly.

Click to expand...

No seriously, I have. The partition is bitlocked. But I have copied it to another PC and it is not - just tested it. I will PM you as this blew my mind.

PM me as well, please - I suspect there is a disconnect here that may need to be taken into account.

Please confirm: you have a partition that is not only bitlocked, BUT ALSO in LOCKED STATE (closed yellow lock) and you may copy it and it is unlocked?

I know that you do not want to go into detail, but I have to ask a couple questions:

Let's assume that the drive in question is currently locked. Are you saying that you can physically take that drive to another system and unlock it?

Or are you somehow copying the contents of the drive to another system via network?

The intention of BitLocker would be only to protect you if the drive was physically moved to another system or if someone installed a new instance of Windows on the current system.

EDIT: Some additional clarification on what I'm getting at: If you are copying data over the network to another location, it would be decrypted in that case, so I just want to get a basic idea of the scenario without asking you to provide details.

@cereberus
First of all great work and discretion in doing what you can to prevent the spread of the knowledge to those who would abuse it ...

Up to you but I think it may be a good idea to inform Microsoft of your findings - this could be a serious unknown workaround BitLocker security ( I assume it is unknown as otherwise Microsoft should have sorted the weakness out already)

cereberus, I reread your second post where you state that you are copying it to another system. In that case, the data is being decrypted and this would be expected behavior. Remember, BitLocker decrypts the data on the fly anytime you read it while logged in with an account granted access to that volume, so copying the data performs the act of decrypting the data. If you want the data to be encrypted at the destination, then the destination must have its own encryption.

As an example, Macrium Reflect (and othe backup programs) make it a point to tell you to use their encryption for backups originating from a BitLocker volume and destined for a non BitLocker volume because the data would otherwise be unencrypted.

As others have stated, the value of Bitlocker is that if you leave your laptop someplace or somebody physically steals your hard drive, the data on it is encrypted. They cannot remove the drive easily from the lost system, and place it into a known working system and have access to the data that is on it.


If however, they are able to logon to Windows (for example, they know your password, or guess it), the drive is then in a decrypted state and they can do whatever they want with the data. If the data was backed up while unencrypted, it's unencrypted data on the destination source. If the computer is turned on and there are available network shares that provide access to the entire drive, they will be accessible to anybody across the network who has access to the machine.

Bitlocker is only providing protection from a hard drive being physically stolen and then attempted to be used in another physical system.

pparks1 said:

As others have stated, the value of Bitlocker is that if you leave your laptop someplace or somebody physically steals your hard drive, the data on it is encrypted. They cannot remove the drive easily from the lost system, and place it into a known working system and have access to the data that is on it.


If however, they are able to logon to Windows (for example, they know your password, or guess it), the drive is then in a decrypted state and they can do whatever they want with the data. If the data was backed up while unencrypted, it's unencrypted data on the destination source. If the computer is turned on and there are available network shares that provide access to the entire drive, they will be accessible to anybody across the network who has access to the machine.

Bitlocker is only providing protection from a hard drive being physically stolen and then attempted to be used in another physical system.

Click to expand...

Sure thing, the weakness though is that if laptop is stolen, and user boots into Winpe mode, the data is still accessible.

I actually did an interesting test - I disabled the TPM before copying bitlocked partition to an external drive and then when I copied partition to new PC, it was copied in bitlocked state, so I could not get access to the data.

I agree if hard drive is stolen but not pc, then it is virtually impossible to access drive.

In the end, which is more likely - laptop getting stolen, or thief swipes hard drive (years ago, that sort of theft along with RAM was common but not nowadays)

Fortunately most thieves are scumbag opportunists and do not really care about the data and would wipe drive anyway. You would be very unlucky to have pc stolen by somebody data harvesting.

Bearing all this in mind, I have locked down bios on my travel laptop so a usb drive cannot be used, and also set a bios password. As it is an emmc device, you cannot even remove drive anyway.

"the weakness though is that if laptop is stolen, and user boots into Winpe mode, the data is still accessible"
No, booting WINPE will not allow you to access bitlocked drives. Bitlocker was made for this scenario. We use it for over a decade and often use WinPE - never accessible without providing the numerical recovery password, no.

So you did not answer my question, was the partition locked before copying or not?

Comport Colin said:

"the weakness though is that if laptop is stolen, and user boots into Winpe mode, the data is still accessible"
No, booting WINPE will not allow you to access bitlocked drives. Bitlocker was made for this scenario. We use it for over a decade and often use WinPE - never accessible without providing the numerical recovery password, no.

So you did not answer my question, was the partition locked before copying or not?

Click to expand...

Yes it was locked, and I did not specify which WinPE item I booted from. It was not a windows installation drive but a different app that boots in WinPe and it copied a bitlocked partition without a password. That is my whole point!

cereberus said:

Yes it was locked, and I did not specify which WinPE item I booted from.

Click to expand...

If by any chance the WinPE item you booted from was Macrium Reflect, bear in mind that reflect has an option to allow access to your BitLocker drive(s) when the rescue media is booted.

I always add the option to enable BitLocker support but don't allow it to unlock my volumes automatically.

Ok, as people surmised I was using Macrium Reflect and I have done more testing based on some pm suggestions and I am glad to say you can only use the Rescue Drive to unlock in winpe mode if the Rescue Drive is made on same PC.

OK, I admit it is not a MAJOR weakness, but you should not carry Rescue Drive with Laptop if travelling or bitlock the Rescue Drive Z as well.

Nonetheless this has made me think what you need to do to secure a travel laptop i.e.

1) bitlock drives

2) add a PIN to preboot TPM (not same as windows PIN

3) Do not select option (uncheck) to autounlock Bitlocked partitions (thanks to @hsehestedt for this suggestion, and @Fabler2 for help).

Thanks for replies.

Very cool. I do carry my rescue disk with me, but I make sure not to select the option to auto unlock BitLocker volumes when I create it. That way it neuters the rescue disk rendering it safe. :)

hsehestedt said:

Very cool. I do carry my rescue disk with me, but I make sure not to select the option to auto unlock BitLocker volumes when I create it. That way it neuters the rescue disk rendering it safe. :)

Click to expand...

That is good advice - I have updated my post above.

cereberus said:

That is good advice - I have updated my post above.

Click to expand...

Can you boot from a Bitlocked drive? It won't be any use if it's needed.

Fabler2 said:

Can you boot from a Bitlocked drive? It won't be any use if it's needed.

Click to expand...

No - good point but you can create a Windows to Go usb drive which is bootlocked with a PIN so you cannot start it without entering PIN. This is a sledgehammer solution though - simply easier to select Reflect option not to automatically unlock bitlocked volumes is easier. Earlier post updated.

And that was one of the things I wondered why it was included in the first place - the auto unlock is a dangerous thing to have there. I suppose someone,. somewhere screamed about it until it got added or something.