Is it possible to re-lock a bitlocker drive?

11

4

I'm running a partition with bitlocker on a Windows 7 Ultimate machine, which contains secure data that I have to recover infrequently. Unlocking it to access the data is obviously no problem, but is there a way to re-lock the partition when I'm done? The best I've found so far is this: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/41607938-7452-440d-8253-67fe8657bc0f

Currently I have a .bat script on that drive that I can run as administrator, and that re-locks the drive, but it feels like kind of a hackish solution. Does anyone have anything better? Any idea when Microsoft might release a fix for this?

Sean Edwards

Posted 2010-03-31T05:10:36.703

Reputation: 298

just to clearify it: you have to get to the data from "outside" of that machine (or more specific, outside of the os running the bitlocker-driver)? – akira – 2010-03-31T05:26:52.047

No, the I am accessing the data locally from the OS that made the bitlocker partition. I'm trying to lock the partition again when the drive access is complete. – Sean Edwards – 2010-04-02T22:53:14.953

The accepted answer has the drawback of needing to enter your administrator's password in order to lock the drive. If you want to avoid that and you are running on Windows 10 you can install Penteract Disguised Keyboard Detector from the Windows Store. I'm not posting this as an answer because it's 3rd party software. But maybe this can help someone. – User42 – 2019-04-12T11:25:40.773

Answers

7

How I solved it:

  1. Click on the Start orb
  2. Enter "cmd" in the search field
  3. Right-click on "cmd" and "Send to" -> "Desktop"
  4. Right-click on "cmd" and then click on "Properties"
  5. In the tab "Shortcut" click on "Advanced / Enhanced"
  6. Check "Run as Admin"
  7. Click "OK" - "Apply" - and "OK"

Optional steps:

  1. Give the short-cut the name "BitLocker"
  2. Right-click on "Properties" and again under "short-cuts" click on "Change Symbol..."
  3. Click on "Search" and at the pull-down "Symboldata" choose "All Data"
  4. Choose a random file, that definitely has no icon (e.g. a picture) and click "Open"
  5. Confirm the error message by clicking "OK" and choose a nice icon
  6. Drag the icon oto the task bar

After that just enter:

manage-bde -lock E:

(E: just stands for a random HDD, choose the right one)

ThorstenHH89

Posted 2010-03-31T05:10:36.703

Reputation: 71

manage-bde will not work on a drive without a drive letter – bfrguci – 2016-04-15T19:56:36.537

You can avoid entering an admin password like this but you need to install an app for that.

– User42 – 2019-03-19T20:04:58.923

1

There is no way to lock a drive using BitLocker GUI tools. The only two supported methods are using manage-bde -lock X: as has been mentioned or using the Win32_EncryptableVolume::Lock method of the BitLocker WMI interface.

What is the threat you're trying to mitigate by re-locking the drive? The drive will lock automatically when the system shuts down, so it's not as though your data is vulnerable forever until you manually re-lock the volume. An attacker would have to somehow grab the decryption key out of memory from the running system to be able to access the data on your encrypted volume.

The moderator of the forum you linked to is incorrect. This is not a "security bug." It is simply a UX decision to only expose an advanced option through command line and WMI interfaces rather than GUI interfaces.

mtlynch

Posted 2010-03-31T05:10:36.703

Reputation: 451

The 'advanced option' here is effectively a desire to re-secure ones data. I agree it is a certainly a deliberate UX decision to omit from the UI but based on the sheer number of google questions, one that is sorely missed. – fostandy – 2017-01-28T14:46:50.613

-1

1) Create a lock.cmd file somewhere and type inside of it:

manage-bde -lock -ForceDismount f:

where f is the drive you want to re-lock.

2) Create a shortcut to lock.cmd, for example on the desktop.

3) Right click on the shortcut > Properties > Advanced > Check Run as administrator.

4) Double click on the shortcut to re-lock your drive.

Marco Lackovic

Posted 2010-03-31T05:10:36.703

Reputation: 506

"Currently I have a .bat script on that drive that I can run as administrator, and that re-locks the drive" - how your solution is different? – Máté Juhász – 2017-04-27T13:08:15.743

@MátéJuhász It provides clear and concise steps for those who don't know how to do it – Marco Lackovic – 2017-04-27T14:34:05.077

Asked: 2010-03-31T05:10:36.703

Viewed: 9 341 times

Active: 2017-04-27T13:06:06.223