12
4
I have just installed Ubuntu side-by-side to a Windows 10 partition shipped on a new laptop.
Meaning, the laptop shipped with Windows 10, and I installed Ubuntu alongside the Windows partition using an Ubuntu Desktop installation ISO through a flash drive.
Now every time I boot into the Windows boot manager, BitLocker wants me to enter the long BitLocker recovery key. A few questions ―
- Why actually is BitLocker affected by the new boot loader set up by Ubuntu? a naive thought would be that the BitLocker decryption key is stored on the motherboard TPM, and isn't affected by a new boot loader installation, and that is probably true as otherwise Windows would no longer be able to read its own files. So why is BitLocker even requiring the recovery key now?
- The Ubuntu side-by-side install said something about fiddling boot protection, but it remains elusive whether that's related to the TPM or a separate security mechanism.
- The Ubuntu installer even asked for a pass-phrase that should help re-establish secure boot, but I was not prompted to use it anywhere after booting with neither the Ubuntu nor the Windows boot loaders, after the install.
- How do I make BitLocker trustful again? in Windows 10, I only see an option to disable disk encryption altogether, but am not sure why can't it just keep going.
- Turning encryption off and then on (in Windows) seems like an overkill and I've no idea, whether it will scramble my Ubuntu partition while at it.
In Windows, after supplying the recovery key, I can see that device encryption is on. So my understanding is that my Windows partition is still decrypting its own files, whereas my Ubuntu partition isn't asking the TPM to encrypt its files when writing them nor decrypt them when reading them.
@ramhound Thanks, but BitLocker came pre-installed... not sure about the nature of the vicious cycle you describe here, so obviously I won't go down that path just to find out how it further complicates matters. – matt – 2017-12-20T18:28:34.673
Makes sense. Not sure why doesn't the trust recover after the first time I enter the correct recovery key then. – matt – 2017-12-20T18:29:33.013
Well as said, that's how the laptop shipped, so I'd call that "by default" enough in my case :-) – matt – 2017-12-20T18:30:37.267
In that case, turning encryption off in Windows 10 (which I guess would turn off the entire BitLocker thing) might be the only practical path, at the obvious cost of no longer having that kind of data protection. Although Ubuntu does have some support. Lets see if any different yet solid, advice, comes up..
– matt – 2017-12-20T18:32:29.427mmmm yes, but then the whole drive gets encrypted and Ubuntu can't read its own partition, supposedly – matt – 2017-12-20T18:35:25.607
Ubuntu can only use the recovery key it doesn’t seem to support TPM which is the reason Windows is now using it. You can encrypt the drive in a way the TPM isn’t used, I believe the use of the TPM is optional, even if one is installed. – Ramhound – 2017-12-20T18:39:00.357
Although https://askubuntu.com/questions/617950/use-windows-bitlocker-encrypted-drive-on-ubuntu-14-04-lts
– matt – 2017-12-20T18:41:33.0631
@Ramhound - BitLocker Device Encryption is enabled by default since Windows 8.1 if it has the proper hardware and the user signs in with a Microsoft Account, and Windows 10 expanded on that. https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10 - To the OP, did you disable secure boot on your system so you could install Linux?
– Appleoddity – 2017-12-20T19:05:18.693@Appleoddity yes, the Ubuntu side-by-side installer mentioned doing that. It also asked me to invent a pass-phrase for it, not sure where that pass-phrase is actually used – matt – 2017-12-20T19:11:36.867
1I'm not either. But, I'm pretty sure secure boot needs to be enabled to use BitLocker the way you expect it to work. You should be able to go in to your BIOS and enable secure boot. Then, you may have to look through your boot order options and try tweaking a couple things there. I'm not sure how Linux works with Secure boot. But, I would at least turn it on, and see if you can Windows to boot without requiring a key, even if that temporarily breaks the Linux installation. It would be a good test. – Appleoddity – 2017-12-20T19:14:10.847
When I disabled BitLocker, encryption automatically suspended too, as per the relevant Windows settings window... arguably the full scope of the relationship between the two does exhibit some disconnect in the user facing settings windows and error messages.... but I've managed to solve and post my answer below – matt – 2017-12-20T20:03:43.950
Ramhound and Appleoddity thanks again for your kindness! – matt – 2017-12-31T17:31:20.893
If i press "Turn off Bitlocker" Windows warns that it would be long running processes of entire drive decription. Will my Ubuntu installation keep working after that? – javapowered – 2018-05-14T18:51:58.533
Also I found this article that may be related. it suggest to move all ubuntu files to ubuntu partition or something like this https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx#Method_3
– javapowered – 2018-05-14T19:39:45.830Does this answer your question? Ubuntu Windows 10 Dual boot with TPM & Bitlocker
– Ramhound – 2019-12-26T18:06:38.843