Blog about software development


Bitlocker startup key on an EFI partition

24 Mar 2022 - by 'Maurits van der Schee'

Windows 10 professional supports full disk encryption with a PIN and a Trusted Platform Module (TPM) chip with it's Bitlocker technology. If you don't have (or believe in) TPM you can use either a pass-phrase or a USB startup key (file on a USB stick) to unlock your Bitlocker encrypted drive. When I apply full disk encryption on machines at the office it is to protect the data in case of computer theft. For machines that have a single user (me) I use a pass-phrase while for machines have multiple users I use a USB startup key. I carry the USB startup key on my key chain. Using a pass-phrase or USB startup key makes the confidentiality of the data on the system easier to understand and reason about, which attributes to real security.

Rules for the USB startup key

Since I'm only securing against hardware theft I don't mind that using a long pass-phrase is more secure. A pass-phrase is inconvenient when sharing a computer. The USB startup key does not have to be remembered and can be copied and/or lended out to people that are allowed to use the computer.

NB: Always consider your threat model when implementing security measures: Consider carefully whether or not the measures you take secure you against the threats you want to protect yourself from.

Form factor: with a ring

A USB drive that you carry on your key chain would ideally be the size of a key, with a ring so it can fit between your keys. This form factor is very important for the security of this system. I feel it helps the owner to think about the USB drive as a key and it allows the user to keep the USB key close at all times.

Prevent accidental deletion

Normally when you insert a USB stick it will auto-mount and show the contents of a drive. This is especially true for removable drives as the "hidden" flag in MBR or the hidden partition types in GPT (recovery and reserved) are ignored by Windows in case of exFAT, FAT16, FAT32 or NTFS on a removable drive. There is one trick to makes accidental deletion harder: use an "EFI" partition type of a GPT partitioned USB drive. This partition type is typically used for booting and this partition is therefor not auto-mounted. All options in the Windows disk manager are also disabled to prevent accidental modification of this partition. Fortunately for us the partition is scanned during startup for Bitlocker key files.

Master key

Since Bitlocker scans the partition for the right key, you may put multiple keys on the USB drive, effectively creating a "master" key.

Warn when USB stick is not removed

We can write a "logon" script in Visual Basic that is run when the user logs in. This script can warn the user to remove the USB startup key when the user has forgotten to remove it at that point. This script will scan the removable drives for a (connected) drive with a specific label. When the drive is detected it will show a popup warning that is always on top and keeps re-appearing, so is hard to ignore (but you can kill it using the task manager). Removing the drive and pressing "OK" makes the pop-up go away.

You can use the Group Policy Editor (Run: "gpedit.msc") and navigate to Logon scripts (under: "User Configuration\Windows Settings\Scripts\Logon") and add/drop your script file there.

Function GetRemovableDriveLetter (label)
    GetRemovableDriveLetter = ""
    Dim drive
    For Each drive In CreateObject("Scripting.FileSystemObject").Drives
        If drive.IsReady Then
            If drive.DriveType = 1 And drive.VolumeName = label Then
                GetRemovableDriveLetter = drive.DriveLetter
                Exit Function
            End If
        End If
End Function 

Do While GetRemovableDriveLetter("BEK")<>""
    MsgBox vbcrlf & "    You MUST remove the Bitlocker Startup USB Key.     " & _
    vbcrlf & vbcrlf & vbcrlf & vbcrlf & vbcrlf & _
    "    Remove the USB key and press 'OK' to continue." & _
    vbcrlf & vbcrlf & vbcrlf, 4112, "Security Error"


PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.