The Enable-BitLocker
cmdlet is available in Powershell to encrypt drives. The command is fairly straight forward once we figure out how to do a few things. In the following we’ll use -mountPoint
to define that it’s the default C: drive that we’re encrypting, followed by -EncryptionMethod
as an Aes128 or an Aes256 and then who can unlock, in this case, the CharlesEdge short name on the Krypted domain, then we’ll prompt (that can be removed) and define a -pin
of 2345 to unlock the recovery key and finally drop the key off at a -RecoveryKeyPath
. Seems like a lot but it’s not and there are ways to do a password instead of a key but since the target location should be write only we don’t want to put too much of a barrier up for the script in f: that, let’s say, might pick it up and pop it into a database or device management tool:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -AdAccountOrGroup "Krypted\CharlesEdge" -AdAccountOrGroupProtector -Confirm -Pin 2345 -RecoveryKeyPath f:\keydropoff
Then, once enabled, we can use the Manage-BDE
cmdlet to see the status:
Manage-BDE -Status
That shows us:
Volume E:
[Data Volume]
Size: 743.19 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 256
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
External Key
And once complete, we can see the key info using that same cmdlet with a -protectors
followed by a -get
with a positional parameter of the drive letter (in this case, simply C:
Manage-BDE -Protectors -Get C:
And a simple way to programmatically check for where the keys are would be to view HKLM\SOFTWARE\Policies\Microsoft\FVE\DefaultRecoveryFolderPath
. So if we’re building an agent, let’s say – then we can monitor that hive nested under FVE for much more than the path – that becomes a way to access information without parsing powershell – providing a second method.
We can also throw a screen to the user that shows the key:
Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector