5

Before you dismiss this as silly, let me explain :)

The only purpose of this encryption is to make the data inaccessible if the drive breaks down and I want to send it off for warranty replacement. This system needs to be able to boot without my supervision when I'm away - which precludes the use of any passwords. Right now I'm stuck with a drive that I can't warranty-replace, because it's too broken for me to wipe it.

Ideally the encryption would be based on a keyfile stored on the (unencrypted) system drive.

Options I've considered:

RomanSt
  • 1,190
  • 9
  • 25
  • Your motherboard may not have TPM, but your CPU might. Many modern Intel processors have an integrated firmware TPM. Check if your system supports Intel TXT. – forest Feb 04 '18 at 02:09
  • BitLocker + `Unlock-BitLocker` on system startup has worked really well for me: [details below](https://security.stackexchange.com/a/247821/8676) – RomanSt Dec 30 '21 at 01:02

4 Answers4

4

The key has to be somewhere other than on the encrypted drive, because logic.

Typically the key is stored in one of three places:

  • In the user's head (or, since keys are hard to store in a head, a password is stored that can be used to derive the key)
  • in a TPM module inside the computer
  • on a removable token, such as a smart card or USB fob

From your description you want option 3, a removable token that you leave with the machine except when you send it off for repair.

However, you might have a bit of trouble finding a product that suits, as yours is a very unusual use case. Lots of software supports removable tokens, but typically they only use it with a password, either to

  • provide a backup of a password-derived key in case the user forgets the password
  • provide two-factor authentication, where you need the token in conjunction with a password.
Graham Hill
  • 15,474
  • 37
  • 63
  • 2
    I'll be quite happy to store the key on the system drive, which isn't encrypted. My use case is apparently the top answer to ["what are good use cases of disk encryption"](http://security.stackexchange.com/a/3216/8676) - so how do _they_ do it? I agree it seems unusual, but this use case was the top answer there... – RomanSt Apr 10 '14 at 13:18
1

For any drive that isn't C: the following procedure works:

  • Encrypt it with BitLocker using just a password
  • run the mountvol command to get a list of volumes. Find your encrypted volume in this list. Grab it's volume path; it will be something like \\?\Volume{5de20e5f-cc06-386e-f647-c2f00ed1f4d9}\
  • Create a Task in Task Scheduler to unlock it:
    • trigger on System Startup
    • run whether user is logged in or not (do not store password)
    • run with highest privileges
  • The action settings are:
    • program: powershell
    • arguments: -command "Unlock-BitLocker ""\\?\Volume{5de20e5f-cc06-386e-f647-c2f00ed1f4d9}\""" -Password ("""MyBitLockerPassword123""" | ConvertTo-SecureString -AsPlainText -Force)"

So obviously your password gets saved in plain text on the system drive, but that's exactly what I wanted anyway. Now I can warranty-return any drive other than the system drive without wiping it and without being present to enter a password after reboot.

RomanSt
  • 1,190
  • 9
  • 25
1

From what i understand, you want to protect the data on your disk if you send it away to a repair shop?

Are to able to access the disk at all? There is no need to apply such hard encryptions on the entire disk IMHO.

Partition the disk and encrypt your personal partition or/and volume. Grab a copy of hirens boot cd to partition the broken drive. You should be able to shrink your personal area and open up an empty partition.

however i do believe a repair shot is not responsible for the data on your disk and can/will replace it and send the copy with your data to a analysis center. Your data in this case will be long gone.

I suggest you hardclone the disk and inspect the information on your new disk. Best of luck!

Neophyte
  • 339
  • 1
  • 4
  • 1
    The broken drive is too broken. Click of death. Doesn't mount. The data I don't care about; it was a full mirror of another drive. The manufacturer explicitly recommends I wipe any data I don't want leaked before I send it for warranty replacement. – RomanSt Apr 10 '14 at 13:14
0

Store the encryption key on a second medium (USB, SD card). Primary storage is inaccessible without the key. You can make backup copies of the encryption key.

If the drive dies, erase/crush/destroy the USB/SD card.

Also, you can remove the "key" from the computer, and the data won't be accessible.

Justin
  • 9
  • 1
  • 1
    Using which software? BitLocker offers two options: password or smart card, neither of which is unattended (smart card requires PIN entry). TrueCrypt requires the system drive to be encrypted. – RomanSt Feb 04 '18 at 12:37