-
Notifications
You must be signed in to change notification settings - Fork 9
Encryption support (Bitlocker)
Drive Badger is able to automatically detect and decrypt Bitlocker-encrypted partitions, but only using recovery keys. It doesn't support other Bitlocker methods: PIN, password, FVEK files, TPM interactions etc., as these methods cannot be automated.
See keys-bitlocker-demo repository. It contains a sample bitlocker.keys
file.
You can configure multiple such repositories - each such repository should:
- be cloned to
/opt/drivebadger/config/keys-bitlocker-yourchosenname
local directory on your Drive Badger persistent partition - contain
bitlocker.keys
file with proper contents (see below)
Local directory doesn't need to contain .git
subdirectory, in fact it can be just "floating" directory (created by hand or script, without repository). However if it does, then you can update it automatically using /opt/drivebadger/update.sh
(in just 1 step for all repositories).
If you have decryption keys associated (directly or indirectly) with particular drive serial numbers, you can save such keys in keys directory.
If you have any additional useful information about particular keys, allowing you to split them in some way (eg. into cities, buildings, floors, company departments, employee specialties) into smaller groups, you can try:
- split them into separate repositories
- configure these repositories across many Drive Badger devices, according to your attack plan
bitlocker.keys
file can contain:
- Bitlocker recovery keys, one per line
- comments starting from
#
sign (without leading spaces) - empty lines
Example bitlocker.keys
file:
# my laptop 1
123456-123456-123456-123456-123456-123456-123456-123456
# my laptop 2
987654-321987-987654-321987-987654-321987-987654-321987
As opposed to other encryption schemes, Bitlocker encrypted partitions are not detected by systemd
/udevd
and not accessible via UUID. Therefore, they are detected in a special way, after processing all partitions that have assigned UUID:
- each UUID-less partition is checked against the concatenated list of recovery passwords from all
bitlocker.keys
files - when a matching key is found, it's saved in keys directory - so it can be easily reused
© Copyright 2020-2022 by Tomasz Klim Payload.pl