Use bitlocker with powershell on Windows
BitLocker is an encryption solution for volumes initially made available in Windows Vista and Windows Server 2008, respectively. BitLocker Drive Encryption (BDE) may have some of the same issues that plague other Microsoft products, but many individuals use it all over the world to keep their data secure when it is dormant.
What is PowerShell?
Microsoft created PowerShell as an object-oriented automation engine and scripting language with an interactive command-line shell to assist IT professionals in automating administrative activities and configuring systems. PowerShell is part of the PowerShell family of tools.
In contrast to most command-line shells, which are built on text, PowerShell, based on the.NET framework, works with objects. Because of its scripting features, PowerShell is used as a tool for automation by system administrators working in internal IT departments and other entities such as managed service providers. These administrators are employed in both internal and external IT departments.
The original version of PowerShell was a closed-source solution exclusive to the Windows platform. In 2016, Microsoft released PowerShell as open-source software and made it compatible with macOS and Linux.
What exactly is PowerShell used for?
Microsoft developed PowerShell intending to automate various system operations, such as batch processing, and developing system administration tools for widely used procedures. PowerShell is a programming language that, like Perl, provides several different options for automating operations.
PowerShell is a versatile tool that administrators can use to manage various tasks. It can glean information about operating systems, such as the precise version and service pack levels. The data kept in specialized data stores can be accessed through the command line by using “PowerShell providers,” which are applications. Drives in the file system and registries in Windows are examples of these data stores.
Additionally, PowerShell can take the place of Microsoft’s Command Prompt, a program that has been around since the days of DOS. As with the build 14791 release of Windows 10, for instance, Microsoft made PowerShell the command-line interface (CLI) that was used by default. Most people start with PowerShell in its command-line shell capacity because this is the most straightforward way to learn the technology.
What is BitLocker?
BitLocker is an easy-to-use, proprietary encryption program for Windows that Microsoft developed. It can encrypt your entire drive and protect your computer against unauthorized changes to its settings, such as firmware-level malware. BitLocker is a Microsoft product.
BitLocker can be used by anyone with a computer running Windows Vista or 7 Ultimate, Windows Vista or 7 Enterprise, Windows 8.1 Pro, Windows 8.1 Enterprise, or Windows 10 Pro. It is also available for Windows Vista or 7 Enterprise. If you are using an Enterprise edition of Windows, a major business will likely own your computer. As a result, you need to have a conversation with the IT department of your business about enabling BitLocker encryption.
Most of us purchase personal computers that come preinstalled with the regular edition of Windows, which does not include the BitLocker encryption software. However, if you updated to Windows 8 during the original release of Microsoft’s dual-interface operating system, you will likely have Windows 8 or 8.1 Pro installed on your computer. In the early days of Windows 8, Microsoft offered upgrade licenses to Windows 8 Pro at a discounted price to anyone eligible to receive an update. If you upgraded from Windows 8.1 to Windows 10, that Pro upgrade was carried over to the new operating system.
Who should utilize the BitLocker software?
The situation with BitLocker is as follows: Accessing the source code is impossible. The fact that users have no way of knowing whether the United States government pressured Microsoft to force the company into installing any backdoor into the application creates a concern for those users who place an extraordinarily high value on protecting their privacy.
The corporation claims there are no backdoors, but how can we be sure there are not any? There is no way. Indeed, most of us would not be able to study the code of BitLocker to locate weaknesses if it were open-source, but someone, somewhere, would be capable of doing so.
Because BitLocker is a closed-source encryption application, I would not anticipate this encryption software to protect your data from being accessed by governmental actors such as customs officials or intelligence agencies. However, BitLocker is a good choice if you want to ensure that your information is secure in the event your personal computer is lost, stolen, or altered in any other way.
BitLocker PowerShell module
Launch a PowerShell console with elevated privileges to follow along with this guide. Execute the following command to display the various BitLocker module commands:
Get-Command -Module BitLocker
If the above command produces no output, you are likely using Windows Server as your operating system. Note that BitLocker is installed on Windows 10 and 11 client operating systems. To use BitLocker on a Windows Server, however, you must manually enable it using the following PowerShell command:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
This command installs BitLocker (with all subfeatures and management tools) and then restarts the server to finish the installation.
Get information about a BitLocker volume
Use the following command to learn more about the volumes (or drives) that BitLocker drive encryption may shield on your computer:
Get-BitLockerVolume
The cmdlet displays the most useful properties in a tidy tabular manner. When used without any arguments, all the volumes are shown. The -MountPoint argument allows you to define a specific volume. Use the following command, for instance, to view the status of the C: drive only:
Get-BitLockerVolume -MountPoint "C:"
Enable BitLocker
BitLocker drive encryption is activated with the Enable-BitLocker command. Let us first take a look at the cmdlet before utilizing it:
- Volume: To control Get-BitLockerVolume returns, specify a drive letter or a volume object.
- Key protector: To encrypt the disk’s volume master key (VMK), specify a key protector. The raw data is encrypted by the full volume encryption key (FVEK), which VMK encrypts. The following key guards are available for use:
Trusted Platform Module (TPM) only: BitLocker uses the TPM chip to safeguard the encryption key if only TPM is chosen. It can be accessed if the encrypted drive is linked to the system via the TPM chip. Use the -TpmProtector switch argument to activate this key protector. Keep in mind that a switch parameter is optional. Use the Get-Tpm command, as displayed in the screenshot, to determine whether your machine supports TPM.
TPM + PIN: BitLocker employs both TPM and a PIN when both are selected to safeguard the encryption key. To create this key protector and provide a secure string PIN, use the -TpmAndPinProtector switch argument. To create a secure string, you might use the ConvertTo-SecureString cmdlet.
TPM + Startup Key (USB drive): The encryption key is safeguarded by BitLocker using both TPM and a startup key (a detachable USB flash drive carrying an external key). To define this key protector, use the -TpmAndStartupKeyProtector switch argument.
TPM + Startup Key + PIN: To safeguard the encryption key, BitLocker employs a startup key, a PIN, and a TPM. Utilize the -TpmAndPinAndStartupKeyProtector switch argument to use any combination of these key protectors.
Startup Key: BitLocker stores the encryption key on a detachable USB storage device. Use the -StartupKeyProtector switch argument and the -StartupKeyPath switch parameter to provide the key’s path for this key protector.
Recovery Key: The encryption key is safeguarded by BitLocker using a recovery key that is kept in a file. It would help if you designated a path to store the key when you create a startup key or recovery key to act as a key protector. Use the -RecoveryKeyProtector switch and the -RecoveryKeyPath parameter to specify a folder where a randomly generated recovery key will be saved to configure this.
Password: BitLocker secures the encryption key using a password. This key protector is specified by the -PasswordProtector switch, and a secure text is given as the -Password parameter.
Recovery Password: BitLocker secures the encryption key with a recovery password. Use the -RecoveryPasswordProtector switch argument to create this key protector. This key protector will automatically generate a random 48-digit recovery password if you use it without providing a password.
AD Account: An AD account is used by BitLocker to safeguard the encryption key.
You can only provide one combination from the key protectors specified above when using the Enable-BitLocker cmdlet. However, you might later add more key protectors by using the Add-BitLockerKeyProtector cmdlet.
- Encryption Method: By default, The encryption method can be changed using the -EncryptionMethod argument, which supports values of Aes128, Aes256, XtsAes128, and XtsAes256. BitLocker utilizes XTS-AES-128, but you can specify the encryption method.
- Used Space Only, BitLocker by default, encrypt the whole volume, including any free space; this can take a while for large volumes. The -UsedSpaceOnly switch can be used to hasten the encryption process. The data is automatically encrypted when saved, but the unallocated Space is left unprotected.
- Hardware Encryption: BitLocker supports hardware and software encryption; however, software encryption is used by default. On compatible disks, you can use the -HardwareEncryption flag. According to this security alert, some self-encrypting drives (SEDs) have security flaws. Hence Microsoft advises switching to software-only encryption.
There are additional parameters that the Enable-BitLocker cmdlet supports, but it would be impossible to go over them all in one post. Use the Get-Help Enable-BitLocker -Detailed command to discover all the parameters if you’re curious.
Let’s examine how to use a PowerShell command to enable BitLocker encryption.
$Pin = ConvertTo-SecureString "205020" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly
The second line specifies TPM + PIN as key protectors, and the first command creates a secure string from a plain-text numeric PIN. To do a hardware test, you must restart the computer.
The hardware test could be skipped with the -SkipHardwareTest argument, although this is not advised. BitLocker will require you to enter the PIN after the computer restarts to launch Windows.
The encryption procedure begins automatically after logging in. The Get-BitLockerVolume command can be used to view the progress, as seen below:
The current encryption status is displayed in the VolumeStatus and EncryptionPercentage columns.
USB flash drive as a recovery key protector
Use the following command to use a USB flash drive as a recovery key protector:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -StartupKeyProtector -StartupKeyPath "E:" -UsedSpaceOnly -SkipHardwareTest
This command designates the path of a flash drive to store the BitLocker encryption key and establishes the startup key (USB) as a key protector. It would help if you used the Get-ChildItem cmdlet with the -Force option because the encryption key is kept in a hidden system file.BEK file extension, as shown in the screenshot:
If you select this option, you must enable USB drives in the BIOS (or UEFI) settings and insert the USB every time the machine starts up. You will need to re-insert the USB drive if you remove it. Even while it seems safe, having just one key protector puts your system in danger of being unusable if the USB flash drive becomes corrupt. As a result, adding an extra key protector—like a password or PIN—is highly advised. This will be covered in the section after this.
Manage key protectors
As previously indicated, the Enable-BitLocker cmdlet will only allow you to create one set of key protectors. You can add multiple key protectors to a BitLocker-encrypted volume using the Add-BitLockerKeyProtector cmdlet.
Add a key protector
We used a startup key as a key protector in the previous section. Now let us use the following command to add a password as an additional protector:
$Password = ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -ForceAdd-BitLockerKeyProtector -MountPoint "C:" -PasswordProtector -Password $Password
Use the following command to add a recovery key file as an extra key protector to an encrypted volume:
Add-BitLockerKeyProtector -MountPoint "C" -RecoveryKeyProtector -RecoveryKeyPath "D:\"
A directory where a randomly generated recovery key is saved can be specified using the -RecoveryKeyPath argument. Along with TPM + PIN, an external recovery key has been included as a supplementary key protector.
Remove a key protector
Use the Remove-BitLockerKeyProtector cmdlet to remove a key protector from a volume. You must first identify a key protector’s key protector ID to delete it. To achieve that, call the KeyProtector property as follows after saving the particular BitLocker volume in a variable:
$BVol = Get-BitLockerVolume -MountPoint “C”$Bvol.KeyProtector
As seen in the following command, after you obtain the ID, specify it to remove the key protector:
Remove-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId "{D5417E7D-CE03-40FB-A83C-7B7D3A190C3F}"
Alternately, as seen in the following statement, you might delete the key protector by using the array index of the key protector:
Remove-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId $BVol.KeyProtector[1].KeyProtectorId
The BitLocker volume object has an array containing key protectors. We may eliminate the relevant key protector by utilizing the array index $BVol.KeyProtector[1]. Once more, locate the key protector you wish to remove using the $BVol—KeyProtector command.
Conclusion
BitLocker is a volume encryption technique released for the first time with Windows Vista and Windows Server 2008. Many people worldwide rely on BitLocker Drive Encryption (BDE) to safeguard their data at rest, even though it, like other Microsoft products, suffers from specific bugs.
Make sure to monitor your Windows Server for maximum performance and reliability.