How to encrypt entire HDD without any password prompts?

Question

Before you dismiss this as silly, let me explain :)

The only purpose of this encryption is to make the data inaccessible if the drive breaks down and I want to send it off for warranty replacement. This system needs to be able to boot without my supervision when I'm away - which precludes the use of any passwords. Right now I'm stuck with a drive that I can't warranty-replace, because it's too broken for me to wipe it.

Ideally the encryption would be based on a keyfile stored on the (unencrypted) system drive.

Options I've considered:

• TrueCrypt: requires the system disk to be encrypted too before it will agree to auto-mount (which requires the use of a password).
• BitLocker: unsupervised decryption impossible without a TPM module. Maybe it's possible with one? But my motherboards don't have TPM anyway.
• EFS: almost suitable, but cannot enable for the whole drive and copied files remain encrypted even when copied to a folder with no "encrypt" flag, both of which will be problematic in practice.

Answer 1

The key has to be somewhere other than on the encrypted drive, because logic.

Typically the key is stored in one of three places:

• In the user's head (or, since keys are hard to store in a head, a password is stored that can be used to derive the key)
• in a TPM module inside the computer
• on a removable token, such as a smart card or USB fob

From your description you want option 3, a removable token that you leave with the machine except when you send it off for repair.

However, you might have a bit of trouble finding a product that suits, as yours is a very unusual use case. Lots of software supports removable tokens, but typically they only use it with a password, either to

• provide a backup of a password-derived key in case the user forgets the password
• provide two-factor authentication, where you need the token in conjunction with a password.

Answer 2

For any drive that isn't C: the following procedure works:

• Encrypt it with BitLocker using just a password
• run the mountvol command to get a list of volumes. Find your encrypted volume in this list. Grab it's volume path; it will be something like \\?\Volume{5de20e5f-cc06-386e-f647-c2f00ed1f4d9}\
• Create a Task in Task Scheduler to unlock it:
  • trigger on System Startup
  • run whether user is logged in or not (do not store password)
  • run with highest privileges
• The action settings are:
  • program: powershell
  • arguments: -command "Unlock-BitLocker ""\\?\Volume{5de20e5f-cc06-386e-f647-c2f00ed1f4d9}\""" -Password ("""MyBitLockerPassword123""" | ConvertTo-SecureString -AsPlainText -Force)"

So obviously your password gets saved in plain text on the system drive, but that's exactly what I wanted anyway. Now I can warranty-return any drive other than the system drive without wiping it and without being present to enter a password after reboot.

Answer 3

From what i understand, you want to protect the data on your disk if you send it away to a repair shop?

Are to able to access the disk at all? There is no need to apply such hard encryptions on the entire disk IMHO.

Partition the disk and encrypt your personal partition or/and volume. Grab a copy of hirens boot cd to partition the broken drive. You should be able to shrink your personal area and open up an empty partition.

however i do believe a repair shot is not responsible for the data on your disk and can/will replace it and send the copy with your data to a analysis center. Your data in this case will be long gone.

I suggest you hardclone the disk and inspect the information on your new disk. Best of luck!

Answer 4

Store the encryption key on a second medium (USB, SD card). Primary storage is inaccessible without the key. You can make backup copies of the encryption key.

If the drive dies, erase/crush/destroy the USB/SD card.

Also, you can remove the "key" from the computer, and the data won't be accessible.