29

I have just installed Ubuntu side-by-side to a Windows 10 partition shipped on a new laptop.

Meaning, the laptop shipped with Windows 10, and I installed Ubuntu alongside the Windows partition using an Ubuntu Desktop installation ISO through a flash drive.

Now every time I boot into the Windows boot manager, BitLocker wants me to enter the long BitLocker recovery key. A few questions ―

  1. Why actually is BitLocker affected by the new boot loader set up by Ubuntu? a naive thought would be that the BitLocker decryption key is stored on the motherboard TPM, and isn't affected by a new boot loader installation, and that is probably true as otherwise Windows would no longer be able to read its own files. So why is BitLocker even requiring the recovery key now?
  2. The Ubuntu side-by-side install said something about fiddling boot protection, but it remains elusive whether that's related to the TPM or a separate security mechanism.
  3. The Ubuntu installer even asked for a pass-phrase that should help re-establish secure boot, but I was not prompted to use it anywhere after booting with neither the Ubuntu nor the Windows boot loaders, after the install.
  4. How do I make BitLocker trustful again? in Windows 10, I only see an option to disable disk encryption altogether, but am not sure why can't it just keep going.
  5. Turning encryption off and then on (in Windows) seems like an overkill and I've no idea, whether it will scramble my Ubuntu partition while at it.

In Windows, after supplying the recovery key, I can see that device encryption is on. So my understanding is that my Windows partition is still decrypting its own files, whereas my Ubuntu partition isn't asking the TPM to encrypt its files when writing them nor decrypt them when reading them.

matt
  • 418
  • 1
  • 4
  • 10
  • @ramhound Thanks, but BitLocker came pre-installed... not sure about the nature of the vicious cycle you describe here, so obviously I won't go down that path just to find out how it further complicates matters. – matt Dec 20 '17 at 18:28
  • Makes sense. Not sure why doesn't the trust recover after the first time I enter the correct recovery key then. – matt Dec 20 '17 at 18:29
  • Well as said, that's how the laptop shipped, so I'd call that "by default" enough in my case :-) – matt Dec 20 '17 at 18:30
  • In that case, turning encryption off in Windows 10 (which I guess would turn off the entire BitLocker thing) might be the only practical path, at the obvious cost of no longer having that kind of data protection. [Although Ubuntu does have some support](https://askubuntu.com/questions/617950/use-windows-bitlocker-encrypted-drive-on-ubuntu-14-04-lts). Lets see if any different yet solid, advice, comes up.. – matt Dec 20 '17 at 18:32
  • mmmm yes, but then the whole drive gets encrypted and Ubuntu can't read its own partition, supposedly – matt Dec 20 '17 at 18:35
  • Ubuntu can only use the recovery key it doesn’t seem to support TPM which is the reason Windows is now using it. You can encrypt the drive in a way the TPM isn’t used, I believe the use of the TPM is optional, even if one is installed. – Ramhound Dec 20 '17 at 18:39
  • Although https://askubuntu.com/questions/617950/use-windows-bitlocker-encrypted-drive-on-ubuntu-14-04-lts – matt Dec 20 '17 at 18:41
  • 1
    @Ramhound - BitLocker Device Encryption is enabled by default since Windows 8.1 if it has the proper hardware and the user signs in with a Microsoft Account, and Windows 10 expanded on that. https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10 - To the OP, did you disable secure boot on your system so you could install Linux? – Appleoddity Dec 20 '17 at 19:05
  • @Appleoddity yes, the Ubuntu side-by-side installer mentioned doing that. It also asked me to invent a pass-phrase for it, not sure where that pass-phrase is actually used – matt Dec 20 '17 at 19:11
  • 1
    I'm not either. But, I'm pretty sure secure boot needs to be enabled to use BitLocker the way you expect it to work. You should be able to go in to your BIOS and enable secure boot. Then, you may have to look through your boot order options and try tweaking a couple things there. I'm not sure how Linux works with Secure boot. But, I would at least turn it on, and see if you can Windows to boot without requiring a key, even if that temporarily breaks the Linux installation. It would be a good test. – Appleoddity Dec 20 '17 at 19:14
  • When I disabled BitLocker, encryption automatically suspended too, as per the relevant Windows settings window... arguably the full scope of the relationship between the two does exhibit some disconnect in the user facing settings windows and error messages.... but I've managed to solve and post my answer below – matt Dec 20 '17 at 20:03
  • Ramhound and Appleoddity thanks again for your kindness! – matt Dec 31 '17 at 17:31
  • If i press "Turn off Bitlocker" Windows warns that it would be long running processes of entire drive decription. Will my Ubuntu installation keep working after that? – Oleg Vazhnev May 14 '18 at 18:51
  • Also I found this article that may be related. it suggest to move all ubuntu files to ubuntu partition or something like this https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx#Method_3 – Oleg Vazhnev May 14 '18 at 19:39
  • Does this answer your question? [Ubuntu Windows 10 Dual boot with TPM & Bitlocker](https://superuser.com/questions/1501266/ubuntu-windows-10-dual-boot-with-tpm-bitlocker) – Ramhound Dec 26 '19 at 18:06
  • I hit this problem before reading this post and tried to work round it by disabling the TPM in the BIOS and using a password for bitlocker (Dell XPS 13 9350). Bad news - the PC wouldn't boot or recover (even from a separate recovery disk) and I had to do a new clean Windows installation which wiped out my Ubuntu :-( – Andy Apr 21 '20 at 10:27

10 Answers10

10

This issue is that Windows does not consider GRUB as a secure component. Thus, whenever you boot to Windows coming from GRUB, Windows considers the boot sequence might have been compromised, and forces a key re-entry.

The only way I know to fix this is to not use GRUB altogether. You can either

  • choose the boot sequence directly through your BIOS menu (the solution I use, I just have to enter F12 during boot, and BIOS gives the choice between the boot scenarios)
  • or use Windows bootloader and add the linux options to it (See here how to achieve that).
Qortex
  • 201
  • 2
  • 5
  • Link is from 2011 and assumes MBR format instead of UEFI, not sure how current it might be. – djhaskin987 May 26 '20 at 23:09
  • Unfortunately option 2 is no longer available, as Windows Boot Manager no longer shows Linux entries, it just ignores them. – bviktor May 29 '21 at 11:33
8

I solved this by going to "Bitlocker" --> "Suspend Encryption" --> Restart Windows 10 --> Select Windows bootloader in GRUB --> Windows 10 encryption was enabled again but it's not asking anymore for the Encryption long KEY.

I have 1 single SSD with: - Windows 10 (UEFI / GPT) Bitlocker - Ubuntu: (3 partitions: boot, root and home).

Sebastian D
  • 81
  • 1
  • 1
  • 2
    Can confirm, this one works even in 2021 with Windows 21H1 and Ubuntu 20.04. After hours of messing around, this one finally does it. Thanks a bunch! – bviktor May 29 '21 at 11:38
  • This sort of worked for me, but after rebooting (without being asked for the key), I see that Bitlocker is still suspended, and clicking "Resume Protection" results in "Bitlocker Drive Encryption error, Wizard initialization has failed. A compatible Trusted Platform Module Security Device cannot be found on this computer". I think this might be because I disabled Secure Boot some time ago? – davidA May 02 '22 at 09:43
  • You are effectively compromising your security by doing so. Remember that the possibility of having your data protected against stealing was why you enabled BitLocker protection in the first place. – Kyselejsyreček Apr 18 '23 at 08:14
3

Late to the party, but as of 04/2022, installing Mint 20.3 on a Dell E6530 next to a bitlocker-enabled Windows 10 partition on the same drive and Secure Boot disabled, I was hit by this problem too and could not solve it using the various answers on this thread or on many others:

  • Suspending protection did not work
  • Decrypting and re-encrypting the disk did not work:
    • when rebooting to test before encryption, the message 'The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically. C: was not encrypted' popped up.
    • when bypassing the test, encryption succeeded but I had to enter the recovery key at every boot
  • @jean-bernard-jensen's answer, adapted to my case with TPMAndPIN instead of TPM did not work either. Secure boot is disabled so my PCR profile is 0,2,4,11. The fact that the PCR profile remained the same was the reason it did not work.

What worked:

  • Boot into Windows (with your recovery key, which I assume you will have extracted and have at hand in case anything goes wrong in the rest of the process)
  • Open the Group Policy Editor (type gpedit after opening the start menu) and navigate to Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
  • Open the policy settings for 'Configure TPM platform validation profile for native UEFI firmware configurations'
  • Select 'Enabled'
  • Untick 'PCR 4: Boot Manager'
  • Open an elevated command prompt and use the following commands (you can probably replace TPMAndPin by TPM):
    • manage-bde -protectors -delete C: -type TPMAndPIN
    • manage-bde -protectors -add C: -TPMAndPIN (I'm asked to set a new PIN, which can be the same as before)
  • Reboot
  • Enjoy!

Once my setup is over - I may need to resize the partitions in the short/medium term - I will probably go through this again to enable PCR 5: GPT / Partition Table in the PCR profile.

As a side note, once you are past that stage, your next step will probably be to set up an encrypted drive that you can share between windows and linux. For this you may want to have a look at VeraCrypt, which can automount the same encrypted drive on both OSes at login using keyfiles, and has many other great features (hidden volume). You could also get rid of Bitlocker altogether and use VeraCrypt for your system volume but that's another story...

ouk
  • 131
  • 4
2

I had this problem as well, and I found this workaround by accident:

With my setup, I get GRUB screen, where I can select between these options:

  • Ubuntu
  • Advanced options for Ubuntu
  • Windows Boot Manager (on /dev/sda2)
  • System Setup

When I select the Windows Boot Manager option, I get stopped at the BitLocker recovery screen.

However, if I simply hit ESC, I am taken to a GRUB terminal. When I enter exit into the terminal, the terminal disappears, and Windows starts up. With this flow, I don't hit the BitLocker recovery screen.

user2954397
  • 21
  • 1
  • Hey this helped me out a lot and was the only thing that seemed to do it for me, thanks a lot! – nmu Jun 03 '21 at 12:12
1

With a lot of help from the kind people in the comments, I was able to elegantly get past the problem. This was the elegant solution, taken from here:

To make BitLocker regain trust, I simply disabled and then re-enabled BitLocker:

C:\Windows\system32\manage-bde.exe" -protectors -enable c:

C:\Windows\system32\manage-bde.exe" -protectors -disable c:

I assume that now Windows uses BitLocker and disk encryption through the TPM just as before, and Ubuntu simply does not.

It is possible to install some Ubuntu stuff that makes it work like BitLocker (thusly presumably also enabling sharing partitions between Windows and Ubuntu), but I think that for now Ubuntu does not use the TPM hardware, so it would store the entire encryption key on disk, defeating the purpose of the encryption, so not worth it I guess.

So BitLocker was aware of the boot manipulation, justifiably causing it to await a trust regaining event even though the TPM integration remained intact. Entering the protection key and then Using the above couple of commands in Windows, made it re-enter the state of trust, regaining normal operation.

matt
  • 418
  • 1
  • 4
  • 10
  • 4
    This does not solve the issue, since it simply disalbes the Bitlocker with the last command. So you will end up with disabled Bitlocker and that's why it does not ask for the recovery key again. – Stefan Profanter Mar 16 '18 at 16:08
  • I ran into the same problem (always asking for the recovery key). I tried the -disable command you suggest, and it booted up nicely, but when I enabled it again it asked for the key. My question is : did permanently disabling the bitlocker create any problems you are aware of ? Is this a practical solution ? – Olivier Bégassat Apr 29 '18 at 08:40
  • @OlivierBégassat Disabling BitLocker means no encryption of your data on the disk I beleive. – Wojtek Jun 10 '18 at 10:18
  • 2
    @SailAvid +1, and when I run disable and enable (instead of enable and then disable) BitLocker is still asking me for the key at startup. So this solution does not help. – Wojtek Jun 10 '18 at 10:20
1

I ended up exactly with this situation. After a little bit of research I found this page: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan

Which was very informative. To sumarize what I found, after loging in into windows by providing the key to bypass bitlocker, I opened an admin console (WindowsKey+X, then select "Windows power shell") and ran this command:

manage-bde -forcerecovery c:

That assuming that you are recovering your windows installation in drive c:

This did the trick permanently. I hope this helps others with the same problem.

Jorge Torres
  • 111
  • 3
  • This does not work, and only removes the PIN or TPM protectors, meaning you have to enter the recovery key at every boot. – ouk Apr 02 '22 at 07:30
0

The answer @matt found is on the right track but is incomplete. You can definitely setup your TPM to accept your double boot, and you can do it without disabling Bitlocker and decrypting your data. The basic idea is to reset the TPM register so they contain the new signatures of your boot setup. To do that, proceed as follows.

In the next steps, I assume you have a single BitLocker protected volume labeled C:.

1 - Backup your recovery key

Their is multiple ways to do that documented on the internet. One of them is to run the following command in an admin prompt.

Manage-bde -protectors -get C:

It will display your recovery key as well as the enabled TPM protectors. Write down your key, as well as the list of the PCR Validation Profile used by your TPM. It is a list of numbers, like 7,11 or 0,2,4,11.

2 - Disable the TPM protectors

Execute the following command:

Manage-bde -protectors -delete C: -type TPM

You can run the get afterwards to see your disk is still protected by your recovery key. Alternatively, you could remove all protectors, but that means you will have to recreate a recovery key afterwards too.

3 - Setup your boot like you want it

Do your SecureBoot setup in the order you want. When finished, boot into Windows and re-enable the TPM protectors.

Manage-bde -protectors -add C: -TPM

Check the get again to see if the PCR Validation Profile is the same. If yes, you are all good. If not (which was my case), and you want to restore or customize it, open the Group Policy Editor utility, navigate to Computer Configuration-> Administrative Templates -> Windows Components -> Bitlokcer Drive Encryption -> Operating System Drives, and open Configure TPM platform validation for native UEFI firmware configurations. Enable it, and in the bottom left, check the list of PCR Profile you want enabled. Match your original list (or create a custom one if you know what you do), then apply and save.

Go back to the command line and create the TPM Protectors again.

4 - Enjoy

The PCR Profile 7 is the one storing your Secure Boot signature. If you applied it once booted with the fully configured boot, you can enjoy a smooth and secure double boot.

Appendix

If this method fails, you can decide to wipe all protectors instead of just the TPM ones during the SecureBoot setup. In that case, the encryption key is stored as plain text on the disk, so your data is not secured but not unencrypted either. If you do so, do not forget to create a new recovery key once you are done:

Manage-bde -protectors -add C: -RecoveryKey

Be careful, it is a new one, that you must write down and/or backup again.

Jean-Bernard Jansen
  • 111
  • 5
0

Simply go to https://account.microsoft.com and Go to your device details and go to "Manage recovery keys" Menu. There you can see the recovery key

Premjith
  • 101
  • 1
-1

The only solution I've found is to change the boot order in the bios to let Windows Bootloader be on top. This method makes booting Ubuntu a bit troublesome, as I have to stop normal boot and choose Select a Temporary Boot Device in order to enter grub from there. This way I can avoid Bitlocker getting angry at grub and asking for a key if I want to use Windows. For me it's not a big problem as I mainly use Windows to do most of my work.

Stian Danielsen
  • 11
  • This is what helped me too. After spending ~6 hours fighting the system, changing boot order is the only thing that works. My F12 key will probably wear out at this point but oh well. – parity3 Oct 12 '19 at 06:51
-1

There's a really good answer here: Ubuntu Windows 10 Dual boot with TPM & Bitlocker from user1686.

It tells you how to configure the EFI Boot Manager so that you can boot directly into windows and avoid the recovery key prompt, but then also set it to boot to Linux on the next go around, or vice versa. Basically by telling the firmware to boot directly into either OS, instead of going through GRUB, you can get dual boot and windows / bitlocker will be happy.

Wade
  • 371
  • 1
  • 2
  • 12