In Disk Management, the partition says "NTFS (BitLocker Encrypted)":
In the BitLocker Drive Encryption control panel applet, it says "BitLocker waiting for activation" and it has an option to "Turn on BitLocker":
If I go to Settings > Device encryption it says "You need a Microsoft account to finish encrypting this device" but there it has an option to "Turn off":
If I right-click the drive in This PC there's an option to "Turn on BitLocker":
Is the drive encrypted with BitLocker or not? Is the activation only for creating a recovery key, or does activation encrypt the partition?
Answer
The volume is indeed encrypted but BitLocker is "suspended." This means the Full Volume Encryption Key (FVEK) used to scramble the data is saved to disk in plaintext where anyone can access it. This means they can access your data too.
You can verify this for yourself. Assuming your volume is C:, run manage-bde -on C:
from an elevated Command Prompt (no, this won't turn BitLocker on...it's already on):
PS C:\> manage-bde -on c:
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [Windows]
[OS Volume]
NOTE: This command did not create any new key protectors. Type
"manage-bde -protectors -add -?" for information on adding more key protectors.
NOTE: Encryption is already complete.
BitLocker protection is suspended until key protectors are created for the
volume. To enforce BitLocker protection on this volume, add a key protector.
Notice the last statement in the output:
BitLocker protection is suspended until key protectors are created for the volume.
According to Microsoft's documentation about suspending BitLocker:
Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes [the] key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.
The reason BitLocker is "waiting for activation" is because no Key Protectors exist for the volume. BitLocker uses protectors to control access to the FVEK. Notice the output of manage-bde -protectors C: -get
:
PS C:\> manage-bde -protectors C: -get
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [Windows]
All Key Protectors
ERROR: No key protectors found.
Until at least one protector is created, BitLocker cannot leave suspended mode and the Windows UI will report that it's waiting for activation.
There are several ways to activate BitLocker in this situation. I prefer doing so from the Control Panel as it allows you to enable protection without requiring a Microsoft Account:
In Start search
manage BitLocker
and choose the result from Control PanelIn the BitLocker Drive Encryption applet click Turn on BitLocker
Choose one of the options for backing up your recovery key.
Finish the wizard.
The result of completing this wizard is that your volume encryption key is "protected" and no longer saved to the disk in the clear, meaning your encrypted data is now actually protected from unauthorized access.
Windows may have automatically enabled BitLocker after you completed the Out Of Box Experience (OOBE) if your device supports Modern Standby or is HSTI-compliant. Since Windows 8.1 BitLocker has been automatically enabled on these devices. This means many new computers will come from the factory with BitLocker enabled by default.
Additional Resources
- List of the different types of BitLocker key protectors
- SuperUser answer discussing the relationship of the Full Volume Encryption Key and Key Protectors.
No comments:
Post a Comment