Windows – How does a Microsoft-accountless BitLocker encryption scheme work

bitlockerencryptionfedorawindows 10

I have a new Dell XPS 15 (7590). I did not give the initial Windows 10 Home setup any wifi information so I could install Windows with a pure local user account–there is no Microsoft account on my computer.

I then installed Fedora 31, as one does, and was surprised to see that the main data partition is encrypted by BitLocker! I can't decrypt it with dislocker as I don't know how it was encrypted to begin with.

When I boot the machine, I reach the Windows 10 login screen without entering any passwords to decrypt the drive (as I have to do when booting into my Fedora 31 partition, which is encrypted by LUKS): the only password I enter is for my local user account.

I'd love to know what my recovery key is, or password!, so I can decrypt the drive from within Fedora to mount it. But Windows 10 Home shouldn't support BitLocker, and Microsoft's documentation seems to imply that you can't use BitLocker without a Microsoft account–that's where the recovery password gets stored.

manage-bde almost implies that the drive isn't encrypted, but the Windows Disk Manager (and gparted) are quite clear that the C: partition is encrypted. Explorer does not show the usual BitLocker icons, nor does it offer the Manage Bitlocker option.

PS C:\Windows\system32> manage-bde -status c:
BitLocker Drive Encryption: Configuration Tool version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [OS]
[OS Volume]

    Size:                 765.15 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:       None Found

Has anyone encountered this before? I'd love to keep the encryption on the drive, it appears that a manage-bde -off C: will permanently decrypt a drive in Windows 10 Home, but I don't know how the drive got encrypted or where the recovery keys are stored.

Best Answer

BitLocker has never depended on a Microsoft account. It is only a possible location for storing the recovery password, but not the only one (the same password can be stored on Active Directory, or in a plain text file of your choosing) – and a BitLocker drive doesn't necessarily have a recovery password to begin with.

You can run manage-bde c: -protectors -get to see what unlock mechanisms are available. Whenever a recovery password is present, it will be shown directly in the protectors list.

But in your case, the status output immediately says that there are none: the disk's master key is simply stored on the disk itself, giving you no protection at all.

This means BitLocker is only being used with the expectation for you to manually activate it later on – whenever you decide to do so, Windows will not need to spend time encrypting gigabytes of actual data, it will simply encrypt the master key. That's when BitLocker will prompt you to save the recovery password, too.

Dislocker should be able to access the drive using the --clearkey option.

Also for future reference:

Commonly the passwordless unlocking is implemented by using a TPM, which holds the key in a separate chip and only gives it to the OS if the entire boot process exactly matches its requirements. (That is, if you boot e.g. Linux on the same computer, the boot log will result in a different PCR hash and the TPM-sealed key will not be retrievable.)

If your disk actually had e.g. TPM protection enabled but did not have a recovery key, you could add one using manage-bde c: -protectors -add -recoverypassword.

(Alternatively, you can add a recovery key file using the -recoverykey option and use it with Dislocker's --bekfile=.)

However, again, in your case there is no "main" protector added yet. So if you want to protect the data, you should instead start by adding a -tpm or -password protector, then add a recovery key as the second option.

Related Question