Trouble with TPM & Bitlocker for secondary fixed data drive

[Mikewind Dale]

So I purchased a Lenovo E570 about a month ago, with Windows 10 Home. Yesterday, I upgraded it to Windows 10 Pro so that I could use Bitlocker.

Long story short: I'm having trouble encrypting my secondary fixed data drive. Let me explain in detail:

I've got an M.2 PCIe NVMe boot drive (from the factory) and a retail aftermarket 2.5" SATA SSD I installed myself as a secondary fixed data drive.

When I set up Bitlocker, it does detect my TPM. So I encrypted my boot drive with the TPM as the key protector. So far, so good.

Then I encrypted my fixed data drive. It says it is encrypted. So far, so good.

I can turn off my computer and reboot and access all my data. So far, so good.

The issue is, I'm not sure WHAT is protecting my fixed data drive. It's set to "auto unlock", but I can't figure out what it unlocks in response to. I want to make sure that my fixed data drive is unlocking only in response to something I have, and that no thief has. So great, my secondary fixed data drive is encrypted, but I can't tell what's the key. If the key is something that a thief has, then the encryption is useless. I need to verify that it's a key that only I have.

I can set boot and logon passwords just fine. What I want to do is protect against a thief who steals my physical computer, removes the drives, and mounts them in another computer. So that's where TPM comes in. I want to make sure that my fixed data drive is protected by TPM. I want TPM to be the key for my secondary fixed data drive.

The problem is, I can't figure out whether it is or not. All I know is that it is set to "automatically unlock", but I can't figure out, "in response to what?". What's the trigger that makes it unlock?

I can see how to set a password on the data drive, but I don't want a password. I've got enough passwords to remember as it is. I just want to encrypt it with the TPM to protect against a thief who might physically remove my drive from my computer.

So my only options are password or else "automatically unlock". But I can't tell whether "automatically unlock" uses my TPM or not.

I've called Microsoft technical support, and they didn't know the answer.

I'm attaching a screenshot of "manage-bde -status": http://i.imgur.com/0ZuSbaQ.png

As you can see, the boot drive is protected by TPM and by numerical password (I assume that's the recovery key, because I didn't set a user password).

By contrast, the data drive is protected by a numerical password (again, the recovery key?) and by an external key. But I didn't set up an external key. I don't have an external USB flash recovery key. I created nothing of the sort. So what is automatically unlocking my drive? If my drive automatically unlocks in response to nothing, then what will stop a thief? It will automatically unlock in response to nothing for him too!!!

So I'm just frustrated. I can't tell whether my data are actually safe or not.

I'll appreciate any help. Thanks.

 

[OlyAR15]

Can't you just remove the drive and plug it into another computer to see if you can read the drive?

 

[Mikewind Dale]

Can't you just remove the drive and plug it into another computer to see if you can read the drive?

I'd need another Windows Pro system. The only other system I have is Windows 8.1 Home.

Keep in mind, what I want to see is whether *any* BitLocker-encrypted boot drive will unlocked my secondary fixed drive, only whether only a *particular* BitLocker-encrypted boot drive will do so. And with my Windows 8.1 Home system, I can't BitLocker-encrypt the boot drive.

 

[readymix]

No it doesn't unlock anywhere. you would need the numerical password in a foreign system to unlock. if you want to test it, do it via a usb flash drive. encrypt it, set it to auto unlock and carry it to another
system. Keep in mind windows versions earlier than W10 ver. 1607 are incompatible with xts-aes encryption.

 

[Mikewind Dale]

I did try it with a USB removable drive, but that didn't really clarify, because I know that the removable drive doesn't rely on the TPM. That's the point of a removable drive, after all, to be removable and not rely on any particular system's configuration.

By contrast, I want my fixed disk to be fixed to the TPM and not unlock on any other system. Since the removable and fixed drives have totally different use cases, and since BitLocker treats them differently, comparing them doesn't really make sense.

But you're saying that my fixed disk won't auto-unlock in any other system, and that it will require the numerical recovery password. Sounds good to me. Thanks!

P. S.

Thanks for noting that XTS won't unlock on a system older than Windows 10. I back up all my data to a removable flash and to an external HDD, and I BitLocker-encrypt those with a more widely compatible standard. With my laptop, I'm concerned about physical theft when I travel, so I want all my data to be encrypted with the least widely compatible standard.

I'm not concerned about recovering data from my laptop, because that's what my backups are for. I just want to make sure that if my laptop is stolen, the thief gets nothing. So burning the bridge behind me with my laptop is fine, because it's my recovery backup drives that need to be recoverable.

Incidentally, I BitLocker-encrypted my removable flash drive on Windows 10 Pro and then took it over to Windows 8.1 Home, and 8.1 Home was still able to decrypt, even though it couldn't encrypt. So that's exactly what I want in a backup drive.

 

[Elixer]

If you want to test, use a boot USB flash drive with linux (or whatever), then, you can use Dislocker, gparted, (or whatever) to see the status of the drive(s) in question.

You use Dislocker to unlock said drive, it needs the key.
https://github.com/Aorimn/dislocker/tree/develop for more info.