Sunday 8 March 2020

Unlocking multiple BitLocker drives that use the same password in one go

On a couple of newer non-OS drives I have trialled using BitLocker which comes with Windows 10 Pro. For drives that I’ve had for many years, they have been protected using TrueCrypt, which gives some indication of the age of the drives given that TrueCrypt was discontinued in 2014.

BitLocker is slightly more integrated into Windows Explorer so that the locked drives appear in My Computer and if you double click on them, you are prompted to enter the password to unlock the drive.

When you have multiple BitLocker-ed drives you have to repeat this unlocking process for each one. If you have a different password for each then this is probably acceptable, but if the same password is used on all drives then unlocking each one, one by one, is laborious. On the other hand, when you enter a password in TrueCrypt, it will unlock any drives that make use of that password.

Therefore I set out to script unlocking my four drives that have a common password in one go and ended up with the following PowerShell script.

Unlocking

$SecureString = Read-Host 'Enter BitLocker Password' -AsSecureString
Get-BitLockerVolume |
    Where ProtectionStatus -EQ Unknown |
    Unlock-BitLocker -Password $SecureString > $null

Upon executing the script:
  • you are prompted for the password (which is displayed as asterisks in the console for privacy) and it is stored in the variable SecureString
  • Get-BitLockerVolume lists all drives that use BitLocker
  • Where ProtectionStatus -EQ Unknown then filters these drives down to those that are locked
  • Unlock-BitLocker -Password $SecureString then unlocks each in turn, using the password provided at the prompt
  • > $null hides any output in the console.
You can save this file as a PowerShell script, such as BitLockerUnlock.ps1. At this point you can try and execute it but you are likely to run into 2 issues:
  • You need to run it as administrator / click through a User Account Control (UAC) prompt
  • Running PowerShell scripts is disabled by default.
For my use case, I haven’t been able to find a way to bypass running as administrator (unless you turn UAC off which is undesirable). From what I have read, if you set up a Scheduled Task or use Group Policy to run the script at startup, the script will run as the SYSTEM user and therefore will bypass the UAC prompt, however I do not want to unlock my drives at logon.

To run PowerShell scripts, you can run a PowerShell command Set-ExecutionPolicy which allows you to run script types of your choosing, but this is not necessary as it can be bypassed as explained below.

There’s a couple of tidy ups we can do to make running the script a bit easier and neater. If you create a shortcut to the .ps1 script, you will find its Target is similar to:
C:\Users\Alex\Documents\Scripts\BitLockerUnlock.ps1
We need to update this to:
powershell -ExecutionPolicy Bypass -f "C:\Users\Alex\Documents\Scripts\BitLockerUnlock.ps1"
This runs the file with PowerShell and bypasses the execution policy restrictions mentioned previously. Whilst in the shortcut properties, also set the shortcut to Run As Administrator and you can also change the icon if you’d like. The BitLocker icon can be found in %SystemRoot%\System32\fvecpl.dll.

You should now be able to execute the shortcut, click through the UAC prompt and enter your BitLocker password in the console prompt. Once the script completes the prompt closes.

Locking

A simpler script can be created to reverse the process and lock the drives in one click.
Get-BitLockerVolume |
    Where ProtectionStatus -EQ On |
    Lock-BitLocker > $null
Upon executing the script:
  • Get-BitLockerVolume lists all drives that use BitLocker
  • Where ProtectionStatus -EQ On then filters these drives down to those that are unlocked
  • Lock-BitLocker locks each in turn
  • > $null hides any output in the console.
Create a shortcut in the same way as the unlock script. One additional change to the shortcut is to Run the shortcut Minimised, so that the PowerShell console is not displayed on screen whilst it is executing. We can do this for this script but not the unlock script, as there is in password input required to lock.

Alternatives

I ended up using PowerShell as the BitLocker commands support passing in a password. There is a simpler command prompt command manage-bde, however you cannot pass it a password and it will therefore prompt you for a password for each drive. A simple manage-bde command is:
manage-bde -unlock X: -password

No comments: