Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 32

Thread: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

  1. #21
    Join Date
    May 2018
    Location
    Here and There
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    BitLocker stores a key in the system's TPM, which will fail to verify if it detects tampering (this includes BIOS setting changes, and other changes to software and hardware).

    If it is the Home edition, please right-click Start->Setting->Privacy and security->Device encryption. Turn "Device encryption" off, and wait for the decryption to complete.

    If the option is still available after decrypting, you can turn it on again if you still need to encrypt the computer. Please note that it may create another recovery key and upload it to the Microsoft account, so please check whether there is another key saved on the account. You can also check the currently used recovery key locally by right-clicking Start->Terminal/PowerShell/Command prompt, and enter the following command:
    Code:
    manage-bde.exe -protectors -get C:
    The recovery key is listed under "numeric password".

    This Advice was offered to me by "Johann - MSFT | Microsoft Community Support Specialist" (Note this was virgin Ubuntu install and not a upgrade)

    And it worked for Win11 Pro as well, I did it for a friend, as I'm not A MS customer...
    "When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama

  2. #22
    Join Date
    May 2008
    Beans
    4,450
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    Quote Originally Posted by 1fallen2 View Post
    BitLocker stores a key in the system's TPM
    Yes, if TPM is enabled (Windows 11 pro)
    With TPM enabled, you can also change How the drive is unlocked at startup
    If you always boot via Grub then the change (Pin or USB Flashdrive) will stick
    If you decide to boot Windows 11 via the UEFI menu, you'll have to go through the laborious process of entering the 48 digit recovery key.
    Then, if you change your mind again and boot via Grub, more onerous 48 digit recovery procedure.

    However, you can also use BitLocker encryption with both TPM and Secure Boot disabled.
    Choose to enable BitLocker with either a password or USB key and Grub can be used to boot Windows 11.
    Grub will require the password or have the USB key attached.

    I don't know where the key is stored but, because TPM chip is not involved, Grub manages to boot Windows 11.

  3. #23
    Join Date
    May 2018
    Location
    Here and There
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    Quote Originally Posted by tea for one View Post
    Do you have TPM and Secure Boot enabled in your UEFI settings?
    One good way to check is:
    Code:
    [ -d $(ls -d /sys/kernel/security/tpm* 2>/dev/null | head -1) ] && \
        echo "TPM available" || echo "TPM missing"
    Mine shows it "TPM available"
    Quote Originally Posted by tea for one View Post
    I don't know where the key is stored but, because TPM chip is not involved, Grub manages to boot Windows 11.
    this might help us or you
    Code:
    sudo cat /proc/keys
    BTW Why dual boot?? If you really need windows and ubuntu, then a second drive would be Ideal, Or a virtual install from Windows to Ubuntru, or Ubuntu host with Windows as a Guest.

    Dual Booting is at best a hit or miss>>>>YUCK not for me anymore....

    Any-who Good Luck to the OP
    Last edited by 1fallen2; September 10th, 2024 at 07:36 PM. Reason: add to
    "When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama

  4. #24
    Join Date
    May 2008
    Beans
    4,450
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    Quote Originally Posted by 1fallen2 View Post
    Code:
    [ -d $(ls -d /sys/kernel/security/tpm* 2>/dev/null | head -1) ] && \
        echo "TPM available" || echo "TPM missing"
    Mine shows it "TPM available"
    Mine too, but it does not indicate enabled or disabled.
    My TPM is disabled
    this might help us or you
    Code:
    sudo cat /proc/keys
    I doubt if a BitLocker key is stored in an Ubuntu folder
    BTW Why dual boot?? If you really need windows and ubuntu, then a second drive would be Ideal, Or a virtual install from Windows to Ubuntru, or Ubuntu host with Windows as a Guest.
    Dual Booting is at best a hit or miss>>>>YUCK not for me anymore....
    Yes, dual booting adds an undesireable complexity.
    The following truncated text is good advice.
    If you can possibly manage it, have one OS per computer.
    If you absolutely must have more than one OS per computer, at least have one OS per disk.
    If you absolutely insist on having more than one OS per disk, understand everything written on this page
    From Recommendations here https://www.happyassassin.net/posts/...lly-work-then/

  5. #25
    Join Date
    May 2018
    Location
    Here and There
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    Quote Originally Posted by tea for one View Post
    Mine too, but it does not indicate enabled or disabled.
    My TPM is disabled
    It will in the Bios under Patform
    Quote Originally Posted by tea for one View Post
    I doubt if a BitLocker key is stored in an Ubuntu folder
    True but you can see them from a Linux Machine:Or, You can access the BitLocker partition under Linux using Dislocker, an open-source driver that is using FUSE (or not).

    Note: You need the file on a USB key (the one with the .bek extension) or the recovery password.

    More on Dislocker:
    Code:
    dislocker
    dislocker by Romain Coltel, v0.7.2 (compiled for Linux/x86_64)
    Compiled version: master:8d42bdd
    
    Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
        with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-K VMK_FILE|-c
    
    Options:
        -c, --clearkey        decrypt volume using a clear key (default)
        -f, --bekfile BEKFILE
                              decrypt volume using the bek file (on USB key)
        -F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
        -h, --help            print this help and exit
        -k, --fvek FVEK_FILE  decrypt volume using the FVEK directly
        -K, --vmk VMK_FILE    decrypt volume using the VMK directly
        -l, --logfile LOG_FILE
                              put messages into this file (stdout by default)
        -O, --offset OFFSET   BitLocker partition offset, in bytes (default is 0)
        -p, --recovery-password=[RECOVERY_PASSWORD]
                              decrypt volume using the recovery password method
        -q, --quiet           do NOT display anything
        -r, --readonly        do not allow to write on the BitLocker volume
        -s, --stateok         do not check the volume's state, assume it's ok to mount it
        -u, --user-password=[USER_PASSWORD]
                              decrypt volume using the user password method
        -v, --verbosity       increase verbosity (CRITICAL errors are displayed by default)
        -V, --volume VOLUME   volume to get metadata and keys from
    
        --                    end of program options, beginning of FUSE's ones
    
      ARGS are any arguments you want to pass to FUSE. You need to pass at least
    the mount-point.
    Or the Man Page:
    Code:
    DISLOCKER-FUSE(1)                          DISLOCKER-FUSE                         DISLOCKER-FUSE(1)
    
    NAME
           Dislocker fuse - Read/write BitLocker encrypted volumes under Linux, OSX and FreeBSD.
    
    SYNOPSIS
           dislocker-fuse  [-hqrsv]  [-l  LOG_FILE]  [-O  OFFSET]  [-V  VOLUME DECRYPTMETHOD -F[N]] [--
           ARGS...]
    
           Where DECRYPTMETHOD  =  {-p[RECOVERY_PASSWORD]  |  -f  BEK_FILE  |  -u[USER_PASSWORD]  |  -k
           FVEK_FILE | -K VMK_FILE | -c}
    
    DESCRIPTION
           Given  a  decryption mean, the program is used to read or write BitLocker encrypted volumes.
           Technically, the program will create a virtual NTFS partition that  you  can  mount  as  any
           other NTFS partition.
    
           The  virtual  partition  is  linked to the underlying BitLocker volume, so any write to this
           volume is put on the BitLocker volume as well. However, you can use dd(1) to get rid of this
           limitation -- if it's a limitation for you. An example is provided in the  EXAMPLES  section
           of this man page.
    
    OPTIONS
           Program's options are described below:
    
           -c, --clearkey
                  decrypt volume using a clear key which is searched on the volume (default)
    
           -f, --bekfile BEK_FILE
                  decrypt volume using the bek file (present on a USB key)
    
           -F, --force-block=[N]
                  force  use  of  metadata  block  number N (1, 2 or 3).  Without N, the first block is
                  forced.  Without this option, the program will try each block until a  valid  one  is
                  found
    
           -h     print the help and exit
    
           -k, --fvek FVEK_FILE
                  decrypt  volume  using  the FVEK directly.  See the FVEK FILE section below to under‐
                  stand what is to be put into this FVEK_FILE
    
           -K, --vmk VMK_FILE
                  decrypt volume using the VMK directly.  See the VMK FILE section below to  understand
                  what is to be put into this VMK_FILE
    
           -l, --logfile LOG_FILE
                  put messages into this file (stdout by default)
    
           -O, --offset OFFSET
                  BitLocker  partition  offset,  in  bytes, in base 10 (default is 0).  Protip: in your
                  shell, you probably can pass -O $((0xdeadbeef)) if you have a 16-based number and are
                  too lazy to convert it in another way.
    
           -p, --recovery-password=[RECOVERY_PASSWORD]
                  decrypt volume using the recovery password method.  If no recovery-password  is  pro‐
                  vided, it will be asked afterward; this has the advantage that the program will vali‐
                  date  each  block one by one, on the fly, as you type it and not to leak the password
                  on the commandline
    
           -q, --quiet
                  do NOT display any information.  This option has priority on any previous  ‘-v'.  One
                  probably wants to check the return value of the program when using this option
    
           -r, --readonly
                  do not allow to write on the BitLocker volume (read only mode)
    
           -s, --stateok
                  do  not check the volume's state, assume it's ok to mount it.  Do not use this if you
                  don't know what you're doing
    
           -u, --user-password=[USER_PASSWORD]
                  decrypt the volume using the user password method.  If no user-password is  provided,
                  it  will  be  asked afterward; this has the advantage not to leak the password on the
                  commandline
    
           -v, --verbosity
                  increase verbosity (CRITICAL level by default), see also ‘-q'
    
           -V, --volume VOLUME
                  volume to get metadata and encrypted keys from
    
           --     mark the end of program's options and the beginning of FUSE's  ones  (useful  if  you
                  want to pass something like -d to FUSE)
    
           ARGS  are  any  arguments  you want to pass to FUSE. Note that you need to pass at least the
           mount-point.
    
    FVEK FILE
           The FVEK file option expects a specific format from the file. The file is split into two ma‐
           jor parts:
                  - 2 bytes describing the encryption in use, from 0x8000 to 0x8003 for AES 128 or  256
                  bits, with or without diffuser.
    
                  - 64 bytes (512 bits) which are the FVEK as in the FVEK key protector once decrypted.
    
           The file is therefore 66 bytes long, not more nor less.  Note that you may have to deal with
           endianness.
    
    EXAMPLES
           These are examples you can run directly.  First, you may want to copy the BitLocker volume:
    
                  % dd if=/dev/sda2 of=encrypted.bitlocker
    
                  This  will  copy  the  entire  volume  located into /dev/sda2 to encrypted.bitlocker.
                  You're not forced to do this step, but this will ensure no write whatsoever  is  per‐
                  formed on the BitLocker volume.
    
           Then dislock it:
    
                  % dislocker -V encrypted.bitlocker -f /path/to/usb/file.BEK -- /mnt/ntfs
    
                  This will create a file into /mnt/ntfs named dislocker-file.
    
           To mount partitions once decrypted, use this sort of line:
                  % mount -o loop /mnt/ntfs/dislocker-file /mnt/clear
    
           --
    
           It seems that you have to unmount the NTFS partition and the dislocker one before halting
           the system, or you will run into unexpected behaviour. In order to do so, you may run these
           commands (replacing your mount points):
                  % umount /mnt/clear && umount /mnt/ntfs/dislocker-file
    
           --
    
           Note  that  these  are examples and, as such, may need to be modified. For instance, you may
           want to change the decryption method used in them.
    
    AUTHOR
           This tool is developed by Romain Coltel on behalf of HSC (http://www.hsc.fr/)
    
           Feel free to send bugs report to <dislocker __AT__ hsc __DOT__ fr>
    
    Linux                                        2011-09-07                           DISLOCKER-FUSE(1)
    Please Note:
    Code:
    It seems that you have to unmount the NTFS partition and the dislocker one before halting
           the system, or you will run into unexpected behaviour. In order to do so, you may run these
           commands (replacing your mount points):
                  % umount /mnt/clear && umount /mnt/ntfs/dislocker-file
    Quote Originally Posted by tea for one View Post
    Yes, dual booting adds an undesireable complexity.
    The following truncated text is good advice.

    From Recommendations here https://www.happyassassin.net/posts/...lly-work-then/
    +1 To all the above
    Last edited by 1fallen2; September 10th, 2024 at 08:39 PM.
    "When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama

  6. #26
    Join Date
    Sep 2024
    Beans
    12

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)



    tea for one: Secure Boot was disabled before I started this. I started trying yancek's solution which required turning off Bitlocker, which I did. Before proceding further, I did a Ubuntu Boot-Repair to see if that would repair problem. I then went back to Windows and turned on bitlocker, which then bitlocker wouldn't do auto-unlock nor encrypt. This seems to be the problem pspathis2 has. I then turned on secure boot which allowed bitlocker to work. I wonder if the simplest solution would be to uninstall Ubuntu and reload a dual boot or just rely on the booter to select the OS. Are there any good instruction on how someone would do this? I'm fairly new a Ubuntu and need some hand holding.

  7. #27
    Join Date
    Sep 2024
    Beans
    12

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)


    tea for one: Do you mean one OS per disk, or is it one OS per partition?

  8. #28
    Join Date
    May 2008
    Beans
    4,450
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    Clearly, you want to use two systems and learn about Ubuntu.
    Also, I get the impression that Windows is your principal system.

    The best solution is:-
    Each OS on a separate disk
    Each OS installed in UEFI mode with GPT and its own ESP
    Encryption is available for each disk - user choice?
    Boot via PC UEFI boot menu
    Possible third disk for data sharing (ntfs)

    The distinct advantage is that corruption on one OS will not affect the other OS
    Boot problems can be fixed by the correct tools for each system
    e.g. Ubuntu utilities for Ubuntu and Windows tools for Windows

    What do you think?
    Last edited by tea for one; September 10th, 2024 at 11:07 PM. Reason: Typo UFI > UEFI

  9. #29
    Join Date
    Sep 2024
    Beans
    12

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    tea for one:

    Your impression that Windows is my principal system is correct and I am a Ubuntu Newbie. However, I find that I like Linux because is seems so down to earth, and not oriented toward the next great idea.

    I like your solution and I will be moving to implement your solution. I find that trying to fix my issue is not straight forward.

    ONE MORE QUESTION:
    You stated-
    Can the Ubuntu and Windows systems share a encrypted data drive, or does the drive need to be unencrypted?

  10. #30
    Join Date
    May 2018
    Location
    Here and There
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Dual Window/Ubuntu boot wants windows recovery key (bitlocker key)

    I "think" tea for one and i both Agree this is the safest:
    The best solution is:-
    Each OS on a separate disk
    Each OS installed in UEFI mode with GPT and its own ESP
    And "share a encrypted data drive," is doable but with a lot of learning.

    LUKS (Linux Unified Key Setup) and BitLocker: LUKS is the standard encryption method for Ubuntu, while BitLocker is used in Windows. While both systems can encrypt drives, they use different formats and key management systems. This might lead to compatibility issues when trying to access the encrypted drive from both operating systems.

    LUKS is superior in my humble opinion.
    "When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •