1
BitLocker to Go volumes are fully supported on Windows 7 and later. For compatibility with systems running Windows XP or Windows Vista, a utility called BitLocker to Go Reader (archived) is provided to enable read-only access to the volume on these older systems.
The BitLocker to Go Reader, bitlockertogo.exe, is included on encrypted volumes as an unencrypted file that is readable by older versions of Windows:
By default, BitLocker To Go Reader is stored on an un-encrypted part of removable drives that are protected with BitLocker. (Source)
However, if BitLocker is supposed to encrypt the entire volume, including filesystem metadata, how does it leave a file unencrypted and readable in this manner? Does this mean that it leaves a portion of the volume's filesystem metadata unencrypted for this purpose? (If so, how does it do this without interfering with the rest of the filesystem, and how does it ensure that the encrypted portions are not accidentally overwritten by the legacy OS?) Note that this does not work on NTFS volumes:
To use BitLocker To Go Reader on a computer that is running Windows XP or Windows Vista, your BitLocker-protected removable drive must be formatted by using the exFAT, FAT16, or FAT32 file system. If the drive is NTFS formatted, it can only be unlocked on a computer that is running Windows 7.
bwDraco
Posted 2015-08-09T01:19:07.073
Reputation: 41 701
The Bitlocker To Go Reader software is an exception to "all data is encrypted" rule – albal – 2015-08-09T01:38:26.887
The question is how does it do this without interfering with the encrypted portion of the volume and while maintaining compatibility with Windows XP and Windows Vista. – bwDraco – 2015-08-09T01:40:27.023
Related info: http://forensicswiki.org/wiki/BitLocker_Disk_Encryption#BitLocker_To_Go, https://github.com/libyal/libbde/blob/master/documentation/BitLocker%20Drive%20Encryption%20%28BDE%29%20format.asciidoc, http://jessekornblum.com/presentations/dodcc10-1.pdf -- looks like it just wraps the encrypted data in a FAT32 FS. Don't know how they prevent chkdsk/fsck from noticing and accidentally clearing the used space, though I suppose that isn't too important - this is for data privacy, not integrity. Oh, also possible: the actual partition is bigger than the FAT32 FS metadata.
– Bob – 2015-08-09T01:50:47.223Sorry if I am still missing the point/question. It Autoruns Reader on a Legacy OS or expects Reader to be installed. If neither are available then there is nothing to prevent someone formatting the partitioned but unreadable drive. – albal – 2015-08-09T01:55:32.443
Nup, checked and the wrapper FS's size matches the drive size. So they're doing something else to mark the encrypted section as 'off-limits'. @albal, the point is that there is some portion of the drive that is not encrypted and can be read by any standard FAT reader. Nothing will prevent an intentional reformat, but it will prevent an accidental one, and provides a copy of the reader without having to download one separately. – Bob – 2015-08-09T03:45:11.187