BitLocker asking for protection code after Ubuntu installation

I have just installed Ubuntu side-by-side to a Windows 10 partition shipped on a new laptop.

Meaning, the laptop shipped with Windows 10, and I installed Ubuntu alongside the Windows partition using an Ubuntu Desktop installation ISO through a flash drive.

Now every time I boot into the Windows boot manager, BitLocker wants me to enter the long BitLocker recovery key. A few questions ―

Why actually is BitLocker affected by the new boot loader set up by Ubuntu? a naive thought would be that the BitLocker decryption key is stored on the motherboard TPM, and isn't affected by a new boot loader installation, and that is probably true as otherwise Windows would no longer be able to read its own files. So why is BitLocker even requiring the recovery key now?
The Ubuntu side-by-side install said something about fiddling boot protection, but it remains elusive whether that's related to the TPM or a separate security mechanism.
The Ubuntu installer even asked for a pass-phrase that should help re-establish secure boot, but I was not prompted to use it anywhere after booting with neither the Ubuntu nor the Windows boot loaders, after the install.
How do I make BitLocker trustful again? in Windows 10, I only see an option to disable disk encryption altogether, but am not sure why can't it just keep going.
Turning encryption off and then on (in Windows) seems like an overkill and I've no idea, whether it will scramble my Ubuntu partition while at it.

In Windows, after supplying the recovery key, I can see that device encryption is on. So my understanding is that my Windows partition is still decrypting its own files, whereas my Ubuntu partition isn't asking the TPM to encrypt its files when writing them nor decrypt them when reading them.

matt

Posted 2017-12-20T18:18:05.210

Reputation: 248

@ramhound Thanks, but BitLocker came pre-installed... not sure about the nature of the vicious cycle you describe here, so obviously I won't go down that path just to find out how it further complicates matters. – matt – 2017-12-20T18:28:34.673

Makes sense. Not sure why doesn't the trust recover after the first time I enter the correct recovery key then. – matt – 2017-12-20T18:29:33.013

Well as said, that's how the laptop shipped, so I'd call that "by default" enough in my case :-) – matt – 2017-12-20T18:30:37.267

In that case, turning encryption off in Windows 10 (which I guess would turn off the entire BitLocker thing) might be the only practical path, at the obvious cost of no longer having that kind of data protection. Although Ubuntu does have some support. Lets see if any different yet solid, advice, comes up..

– matt – 2017-12-20T18:32:29.427

mmmm yes, but then the whole drive gets encrypted and Ubuntu can't read its own partition, supposedly – matt – 2017-12-20T18:35:25.607

Ubuntu can only use the recovery key it doesn’t seem to support TPM which is the reason Windows is now using it. You can encrypt the drive in a way the TPM isn’t used, I believe the use of the TPM is optional, even if one is installed. – Ramhound – 2017-12-20T18:39:00.357

Although https://askubuntu.com/questions/617950/use-windows-bitlocker-encrypted-drive-on-ubuntu-14-04-lts

– matt – 2017-12-20T18:41:33.063

@Ramhound - BitLocker Device Encryption is enabled by default since Windows 8.1 if it has the proper hardware and the user signs in with a Microsoft Account, and Windows 10 expanded on that. https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10 - To the OP, did you disable secure boot on your system so you could install Linux?

– Appleoddity – 2017-12-20T19:05:18.693

@Appleoddity yes, the Ubuntu side-by-side installer mentioned doing that. It also asked me to invent a pass-phrase for it, not sure where that pass-phrase is actually used – matt – 2017-12-20T19:11:36.867

1I'm not either. But, I'm pretty sure secure boot needs to be enabled to use BitLocker the way you expect it to work. You should be able to go in to your BIOS and enable secure boot. Then, you may have to look through your boot order options and try tweaking a couple things there. I'm not sure how Linux works with Secure boot. But, I would at least turn it on, and see if you can Windows to boot without requiring a key, even if that temporarily breaks the Linux installation. It would be a good test. – Appleoddity – 2017-12-20T19:14:10.847

When I disabled BitLocker, encryption automatically suspended too, as per the relevant Windows settings window... arguably the full scope of the relationship between the two does exhibit some disconnect in the user facing settings windows and error messages.... but I've managed to solve and post my answer below – matt – 2017-12-20T20:03:43.950

Ramhound and Appleoddity thanks again for your kindness! – matt – 2017-12-31T17:31:20.893

If i press "Turn off Bitlocker" Windows warns that it would be long running processes of entire drive decription. Will my Ubuntu installation keep working after that? – javapowered – 2018-05-14T18:51:58.533

Also I found this article that may be related. it suggest to move all ubuntu files to ubuntu partition or something like this https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx#Method_3

– javapowered – 2018-05-14T19:39:45.830

Does this answer your question? Ubuntu Windows 10 Dual boot with TPM & Bitlocker

– Ramhound – 2019-12-26T18:06:38.843

Answers

This issue is that Windows does not consider GRUB as a secure component. Thus, whenever you boot to Windows coming from GRUB, Windows considers the boot sequence might have been compromised, and forces a key re-entry.

The only way I know to fix this is to not use GRUB altogether. You can either

choose the boot sequence directly through your BIOS menu (the solution I use, I just have to enter F12 during boot, and BIOS gives the choice between the boot scenarios)
or use Windows bootloader and add the linux options to it (See here how to achieve that).

Mic

Posted 2017-12-20T18:18:05.210

Reputation: 131

With a lot of help from the kind people in the comments, I was able to elegantly get past the problem. This was the elegant solution, taken from here:

To make BitLocker regain trust, I simply disabled and then re-enabled BitLocker:

C:\Windows\system32\manage-bde.exe" -protectors -enable c:

C:\Windows\system32\manage-bde.exe" -protectors -disable c:

I assume that now Windows uses BitLocker and disk encryption through the TPM just as before, and Ubuntu simply does not.

It is possible to install some Ubuntu stuff that makes it work like BitLocker (thusly presumably also enabling sharing partitions between Windows and Ubuntu), but I think that for now Ubuntu does not use the TPM hardware, so it would store the entire encryption key on disk, defeating the purpose of the encryption, so not worth it I guess.

So BitLocker was aware of the boot manipulation, justifiably causing it to await a trust regaining event even though the TPM integration remained intact. Entering the protection key and then Using the above couple of commands in Windows, made it re-enter the state of trust, regaining normal operation.

matt

Posted 2017-12-20T18:18:05.210

Reputation: 248

4This does not solve the issue, since it simply disalbes the Bitlocker with the last command. So you will end up with disabled Bitlocker and that's why it does not ask for the recovery key again. – Stefan Profanter – 2018-03-16T16:08:13.140

I ran into the same problem (always asking for the recovery key). I tried the -disable command you suggest, and it booted up nicely, but when I enabled it again it asked for the key. My question is : did permanently disabling the bitlocker create any problems you are aware of ? Is this a practical solution ? – Olivier Bégassat – 2018-04-29T08:40:27.563

@OlivierBégassat Disabling BitLocker means no encryption of your data on the disk I beleive. – Wojtek – 2018-06-10T10:18:24.937

2@SailAvid +1, and when I run disable and enable (instead of enable and then disable) BitLocker is still asking me for the key at startup. So this solution does not help. – Wojtek – 2018-06-10T10:20:07.793

I had this problem as well, and I found this workaround by accident:

With my setup, I get GRUB screen, where I can select between these options:

Ubuntu
Advanced options for Ubuntu
Windows Boot Manager (on /dev/sda2)
System Setup

When I select the Windows Boot Manager option, I get stopped at the BitLocker recovery screen.

However, if I simply hit ESC, I am taken to a GRUB terminal. When I enter exit into the terminal, the terminal disappears, and Windows starts up. With this flow, I don't hit the BitLocker recovery screen.

kevinjkirch

Posted 2017-12-20T18:18:05.210

Reputation: 1

-1

The only solution I've found is to change the boot order in the bios to let Windows Bootloader be on top. This method makes booting Ubuntu a bit troublesome, as I have to stop normal boot and choose Select a Temporary Boot Device in order to enter grub from there. This way I can avoid Bitlocker getting angry at grub and asking for a key if I want to use Windows. For me it's not a big problem as I mainly use Windows to do most of my work.

Stian Danielsen

Posted 2017-12-20T18:18:05.210

Reputation: 11

This is what helped me too. After spending ~6 hours fighting the system, changing boot order is the only thing that works. My F12 key will probably wear out at this point but oh well. – parity3 – 2019-10-12T06:51:08.403

-1

There's a really good answer here: Ubuntu Windows 10 Dual boot with TPM & Bitlocker from user1686.

It tells you how to configure the EFI Boot Manager so that you can boot directly into windows and avoid the recovery key prompt, but then also set it to boot to Linux on the next go around, or vice versa. Basically by telling the firmware to boot directly into either OS, instead of going through GRUB, you can get dual boot and windows / bitlocker will be happy.

Wade

Posted 2017-12-20T18:18:05.210

Reputation: 319