Hello, I have a question:How about the principle of the bitlocker automatic unlock?where is the password stored in?Could somebody crack the bitlocker password file very easy?Could you help me to explain it?Thanks very much!SAP is great!

Could you help me!Thanks very much!SAP is great!

Hi Jean,If you choose auto unlock a non-system drive, it will ask to lock system drive first.When we lock system drive, it will request turn on TPM, which saved the password. Meanwhile here is an Q&A for people who do not have a TPM on motherboard: Can I use BitLocker on an operating system drive without a TPM version1.2? Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.FYI:Windows Trusted Platform Module Management Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx

Hi Jean,If you choose auto unlock a non-system drive, it will ask to lock system drive first.When we lock system drive, it will request turn on TPM, which saved the password. Meanwhile here is an Q&A for people who do not have a TPM on motherboard: Can I use BitLocker on an operating system drive without a TPM version 1.2? Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.FYI:Windows Trusted Platform Module Management Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx Shaon,Thanks for your help! I think "If you choose auto unlock a non-system drive, it will ask to lock system drive first." is wrong.now my system driver is not locked, but it auto unlock a non-system drive every time.So last time i have a question: where is the password stored in ( the password auto decrypt the non-system driver every time)? Is it safe?waiting for your help!SAP is great!

Hi Jean,If you choose auto unlock a non-system drive, it will ask to lock system drive first.When we lock system drive, it will request turn on TPM, which saved the password. Meanwhile here is an Q&A for people who do not have a TPM on motherboard: Can I use BitLocker on an operating system drive without a TPM version 1.2? Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.FYI:Windows Trusted Platform Module Management Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx I still can not understand the 'If you choose auto unlock a non-system drive, it will ask to lock system drive first.', I don't know if my system driver is locked. The status is suspended. My computer doesn't have TPM , so i have to use usb driver to replace the TPM. in fact , now i don't need to insert the USB key driver to boot into win7. Is windows 7 locked now? Is it safe? is it dangerous? Waiting for your help! Best regards, Jean SAP is great!

We should receive following error when trying to auto-unlock a fixed data drive:Also I received a same error when trying to create a locked drive with auto-unlock:Cannot confirm your current situation, if you accept you can turn off bitlocker and re-lock the data drive to test these settings.

I can actually confirm both scenarios described and shown by Shaon and Jean above. Considering this, I too am really in need of an answer as to where the password is being stored for auto unlock feature and whether it would be secure if OS partition is not locked. Here is what I am finding... With a VM running Win7 Ultimate... Scenario 1: If I add a separate data storage disk to the VM (through XenCenter management console), then lock this drive and check the box to set the volume to auto unlock as Shaon illustrates with screenshots above, I get the exact same result and error message. I cannot use auto unlock in this manner unless I lock the system drive too. HOWEVER... Scenario 2: INSTEAD of adding a separate data storage disk to the VM (similar to a removable or fixed data disk drive I would think), I created a VHD file using Windows Disk Management utility and stored it on the system drive at the root. When I mount this VHD file and lock it with BitLocker, I am allowed to set the auto unlock feature with no resulting error message. Upon reboot of the machine, I have to mount the VHD file again from Disk Management GUI, but afterward the volume auto unlocks without prompt for password and is available for use...without a locked system drive. I am not sure if scenario 2 is how Jean arrives at their findings, but I observe the same overall outcome...auto unlock feature enabled with no locked system drive. Therefore, I really need to know the same main question Jean has...where/how is the password stored for Auto unlock feature. If it is somewhere on the system partition, outside of the encrypted volume/VHD file, then it seems that this is potentially not secure depending on the details of how it is stored. I can provide screen shots or even a video if others cannot reproduce the scenario as I have described it in (2) above. I would at least like to determine if the above scenario is as designed, because based on the documentation I am finding thus far, it seems that it may not be the case. Thanks. -Walt

The purpose of BitLocker is to encrypt the drives of the computer so that their data can only be accessed after providing the correct password that can decrypt the data. If you have encrypted the drives of your system, there is no chance that your data is lost to unauthorized people. No one can access your data (unless they know the password), even if your laptop or removable drives are stolen. BitLocker was introduced with Windows Vista (the previous Operating system of Windows) but it was not much liked by users because of its complicated procedure to use; while Windows 7 BitLocker is quite easy and straight-forward. It provides a covering security to the users’ files. It can be used not only to protect files on computer disks but also to secure data by encrypting files on removable devices like SD Cards, Pen drives, etc; so in case of theft or lost, your data is not in the hands of strangers. You can encrypt your files using BitLocker within minutes. Open My Computer and Right-click on the drive that you want to encrypt. Select Turn on BitLocker. Once BitLocker has initialized the flash drive, you will be prompted to enter a password. This password will be required later in order to unlock the drive. You also have a choice set up a Smartcard. After that you will need to store the recovery key which can be used in the event of forgetting your password or losing your smartcard. In case, you store it as a file, ensure that you do not save it on the drive you are encrypting. You will get a confirmation message after which your system will be ready to start encrypting the drive. You simply need to click the Start Encrypting button. Progress screen will be displayed on screen till the process goes on. This seems unrelated to my question, so I'm not sure if you intended to address my issue/concern, unless by omission, you're suggesting that the stored password is not secured unless I choose to encrypt the entire system partition. I guess I will have to go about inquiring as to whether this is a bug in the GUI/underlying functionality allowing auto unlock with mounted VHD files through more official means.

I believe I found the answer to my question. Even if the password is stored unsecurely for auto unlocking in the scenario above, I found on the FAQ that BitLocker does not support encryption of VHD's. :( http://technet.microsoft.com/en-us/library/ee449438%28WS.10%29.aspx#BKMK_StartUpKey