The Enable-BitLocker cmdlet is available in Powershell to encrypt drives. The command is fairly straight forward once we figure out how to do a few things. In the following we’ll use -mountPoint to define that it’s the default C: drive that we’re encrypting, followed by -EncryptionMethod as an Aes128 or an Aes256 and then who can unlock, in this case, the CharlesEdge short name on the Krypted domain, then we’ll prompt (that can be removed) and define a -pin of 2345 to unlock the recovery key and finally drop the key off at a -RecoveryKeyPath. Seems like a lot but it’s not and there are ways to do a password instead of a key but since the target location should be write only we don’t want to put too much of a barrier up for the script in f: that, let’s say, might pick it up and pop it into a database or device management tool:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -AdAccountOrGroup "Krypted\CharlesEdge" -AdAccountOrGroupProtector -Confirm -Pin 2345 -RecoveryKeyPath f:\keydropoff
Then, once enabled, we can use the Manage-BDE cmdlet to see the status:
Manage-BDE -Status
That shows us:
Volume E:
[Data Volume]
Size: 743.19 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 256
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
External KeyAnd once complete, we can see the key info using that same cmdlet with a -protectors followed by a -get with a positional parameter of the drive letter (in this case, simply C:
Manage-BDE -Protectors -Get C:
And a simple way to programmatically check for where the keys are would be to view HKLM\SOFTWARE\Policies\Microsoft\FVE\DefaultRecoveryFolderPath. So if we’re building an agent, let’s say – then we can monitor that hive nested under FVE for much more than the path – that becomes a way to access information without parsing powershell – providing a second method.
We can also throw a screen to the user that shows the key:
Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector
