M BUZZ CRAZE NEWS
// general

BitLocker Encryption option gone

By John Parsons

After deactivating the encryption with bitlocker and installing Ubuntu 20.04 LTS, the encryption service BitLocker Drive encryption is gone. My assumptions are that turning off the secure boot in BIOS made this happen. Did somebody experience the same and got the bitlocker to work again? I am not sure, if I may enable the secure boot again with the dual windows 10 and ubuntu and if this would fix the problem.

The following message occurs when checking the TPM:

Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported

For now, I changed to secure boot enable, legacy disable. The encryption bitlocker appeared again. The question now is, whether the Ubuntu still works after the encryption. Does anyone have experience with changing the secureboot enabling and bitlocker encryption after installing Ubuntu?

Thanks

1

1 Answer

Bitlocker has several layers of keys to get to the "Full Volume Encryption Key" (FVEK) which is used to actually encrypt your data. The FVEK is encrypted by the "Volume Master Key" (VMK), which itself is encrypted, but with multiple (6?) ways to get its encryption key. Three of these six ways use some of the internal registers, the PCR Config registers -- change the wrong PCR register, and that decryption mechanism no longer works. Changes like firmware updates, and who knows what else may change these registers.

If using Bitlocker, you really should set up at least one of the other three mechanisms to decrypt the VMK:

  1. Clear Key -- (on USB or even written down).
  2. Startup Key or Recovery Key -- Usually tucked away in your Microsoft Account, so worth setting up the account just for this key backup.
  3. Recovery Password -- Produces the VMK after various manipulations.

Since you have little or no control over the PCR registers, don't know what changes them and don't even know which ones may be used for decrypting the VMK, you are on dangerous ground if you are relying on them to decrypt your bitlocked volume. The worst case would be a firmware update which cannot be backed out but which changes a PCR register.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

More in general

"Zoraya ter Beek, age 29, just died by assisted suicide in the Netherlands. She was physically healthy, but psychologically depressed. It's an abomination that an entire society would actively facilitate, even encourage, someone ending their own life because they had no hope. Th…"

"Absolutely my pleasure, mate. It is a really incredible piece, and if it’s not featured in Substack Reads I will immediately raise a militia and….uh….then we’ll stand around grumbling and handing out leaflets (I’m British, this is how we do over here). Magically well done. And…"