Document how to setup bitlocker
osresearch opened this issue · comments
there are some weird things like "don't have a CD in the drive"
and you need a removable media to write the key to
manage-bde has awful help. to delete the tpm unlock you have to get the ID, along with the {}:
manage-bde -protectors -get c:
manage-bde -protectors -delete c: -id {....}
to create a BEK file:
manage-bde -protectors -add c: -startupkey e:
this will create a hidden file on the drive
this worked to pass the BEK file to the bootloader:
/# dd if=/dev/zero of=/tmp/tes.gpt bs=512 count=256
256+0 records in
256+0 records out
131072 bytes (131 kB, 128 KiB) copied, 0.01 s, 13 MB/s
/# fdisk /tmp/tes.gpt
Welcome to fdisk (util-linux 2.34).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xd85e35c9.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (1-255, default 1):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1-255, default 255):
Created a new partition 1 of type 'Linux' and of size 127.5 KiB.
Command (m for help): t
Selected partition 1
Hex code (type L to list all codes): b
Changed type of partition 'Linux' to 'W95 FAT32'.
Command (m for help): w
The partition table has been altered.
Syncing disks.
/# losetup -f -P /tmp/tes.gpt
[ 83.910000] loop0: p1
/# mkfs.fa v/# /# mkfs.vfat /dev/loop0p1
mkfs.fat 4.1 (2017-01-24)
/# mkdir /ramdisk
/# mount /dev/loop0p1 /ramdisk
/# xxd -r > /ramdisk/403B03D1-2D06-4E0A-B071-8D9434172633.BEK
00000000: 9c 00 00 00 01 00 00 00 30 00 00 00 9c 00 00 00 ........0.......
00000010: d1 03 3b 40 06 2d 0a 4e b0 71 8d 94 34 17 26 33 ..;@.-.N.q..4.&3
00000020: 01 00 00 00 00 00 00 00 30 5c 5a 66 14 33 d8 01 ........0\Zf.3..
00000030: 6c 00 06 00 09 00 01 00 d1 03 3b 40 06 2d 0a 4e l.........;@.-.N
00000040: b0 71 8d 94 34 17 26 33 40 bf 50 66 14 33 d8 01 .q..4.&3@.Pf.3..
00000050: 20 00 00 00 02 00 01 00 45 00 78 00 74 00 65 00 .......E.x.t.e.
00000060: 72 00 6e 00 61 00 6c 00 4b 00 65 00 79 00 00 00 r.n.a.l.K.e.y...
00000070: 2c 00 00 00 01 00 01 00 02 20 00 00 2d 94 42 31 ,........ ..-.B1
00000080: 65 4d 83 2f a9 4f 5c 1a 40 a6 30 f7 d9 66 ac 3f eM./.O\.@.0..f.?
00000090: 1d 6f 5c 9c 8d f5 ed 8b d0 3d 77 86 .o\......=w.
/# openssl dgg st /ramdisk/403B03D1-2D06-4E0A-B071-8D9434172633.BEK
SHA256(/ramdisk/403B03D1-2D06-4E0A-B071-8D9434172633.BEK)= 4ff361fca082c223133a6c38d3d054eb56ce0881607f25807bb8b3ac2889021d
/# umount /ramdisk/
/# echo /tmp/tes.gpt > /sys/firmware/efi/ramdisk
[ 174.020000] uefi_read_file: /tmp/tes.gpt => 131072
[ 174.030000] uefi_ramdisk: /tmp/tes.gpt
[ 174.030000] 131072 bytes
[ 174.030000] uefi6: RamDisk(0x7EC26000,0x7EC45FFF,0,AB38A0DF-6873-44A9-87E6-D4EB56148449)
[ 174.040000] uefi6: rev=10000 id=0 removable=0 present=1 logical=0 ro=0 caching=0 bs=512 size=130560
[ 174.060000] uefi_blockdev: created 1 block devices
[ 174.060000] uefi7: RamDisk(0x7EC26000,0x7EC45FFF,0,AB38A0DF-6873-44A9-87E6-D4EB56148449)/HD(1,MBR,0xD85E35C9,0x1,0xFF)
[ 174.070000] uefi7: rev=10000 id=0 removable=0 present=1 logical=1 ro=0 caching=0 bs=512 size=130048
[ 174.080000] uefi_blockdev: created 1 block devices
/# mount -o ro /dev/uefi3 /boot
/# chainload -d uefi3 /boot/efi/Boot/bootx64.efi
[ 208.130000] kexec_core: Starting new kernel
chainload says hello
Boot device PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(2,GPT,D240F225-7427-4B55-AB3C-15B87C251E2D,0xFA000,0x31800)
bitlocker won't find a raw disk; it really wants an MBR or GPT partition table.