Unlocking multiple BitLocker drives that use the same password in one go

On a couple of newer non-OS drives I have trialled using BitLocker which comes with Windows 10 Pro. For drives that I’ve had for many years, they have been protected using TrueCrypt, which gives some indication of the age of the drives given that TrueCrypt was discontinued in 2014.

BitLocker is slightly more integrated into Windows Explorer so that the locked drives appear in My Computer and if you double click on them, you are prompted to enter the password to unlock the drive.

When you have multiple BitLocker-ed drives you have to repeat this unlocking process for each one. If you have a different password for each then this is probably acceptable, but if the same password is used on all drives then unlocking each one, one by one, is laborious. On the other hand, when you enter a password in TrueCrypt, it will unlock any drives that make use of that password.

Therefore I set out to script unlocking my four drives that have a common password in one go and ended up with the following PowerShell script.

Unlocking

$SecureString = Read-Host 'Enter BitLocker Password' -AsSecureString
Get-BitLockerVolume |
    Where ProtectionStatus -EQ Unknown |
    Unlock-BitLocker -Password $SecureString > $null

Upon executing the script:

• you are prompted for the password (which is displayed as asterisks in the console for privacy) and it is stored in the variable SecureString
• Get-BitLockerVolume lists all drives that use BitLocker
• Where ProtectionStatus -EQ Unknown then filters these drives down to those that are locked
• Unlock-BitLocker -Password $SecureString then unlocks each in turn, using the password provided at the prompt
• > $null hides any output in the console.

You can save this file as a PowerShell script, such as BitLockerUnlock.ps1. At this point you can try and execute it but you are likely to run into 2 issues:

• You need to run it as administrator / click through a User Account Control (UAC) prompt
• Running PowerShell scripts is disabled by default.

For my use case, I haven’t been able to find a way to bypass running as administrator (unless you turn UAC off which is undesirable). From what I have read, if you set up a Scheduled Task or use Group Policy to run the script at startup, the script will run as the SYSTEM user and therefore will bypass the UAC prompt, however I do not want to unlock my drives at logon.

To run PowerShell scripts, you can run a PowerShell command Set-ExecutionPolicy which allows you to run script types of your choosing, but this is not necessary as it can be bypassed as explained below.

There’s a couple of tidy ups we can do to make running the script a bit easier and neater. If you create a shortcut to the .ps1 script, you will find its Target is similar to:

C:\Users\Alex\Documents\Scripts\BitLockerUnlock.ps1

We need to update this to:

powershell -ExecutionPolicy Bypass -f "C:\Users\Alex\Documents\Scripts\BitLockerUnlock.ps1"

This runs the file with PowerShell and bypasses the execution policy restrictions mentioned previously. Whilst in the shortcut properties, also set the shortcut to Run As Administrator and you can also change the icon if you’d like. The BitLocker icon can be found in %SystemRoot%\System32\fvecpl.dll.

You should now be able to execute the shortcut, click through the UAC prompt and enter your BitLocker password in the console prompt. Once the script completes the prompt closes.

Locking

A simpler script can be created to reverse the process and lock the drives in one click.

Get-BitLockerVolume |
    Where ProtectionStatus -EQ On |
    Lock-BitLocker > $null

Upon executing the script:

• Get-BitLockerVolume lists all drives that use BitLocker
• Where ProtectionStatus -EQ On then filters these drives down to those that are unlocked
• Lock-BitLocker locks each in turn
• > $null hides any output in the console.

Create a shortcut in the same way as the unlock script. One additional change to the shortcut is to Run the shortcut Minimised, so that the PowerShell console is not displayed on screen whilst it is executing. We can do this for this script but not the unlock script, as there is in password input required to lock.

Alternatives

I ended up using PowerShell as the BitLocker commands support passing in a password. There is a simpler command prompt command manage-bde, however you cannot pass it a password and it will therefore prompt you for a password for each drive. A simple manage-bde command is:

manage-bde -unlock X: -password

Mac Build 2011- Conclusions

Everything is now working perfectly, apart from the mains power connector sticking out of a PCI bracket. For now this will do, it is better than cutting a hole in the back of the case that I later no longer want.

Some observations I have made are that it is quite top heavy at the moment- if I had more time I may consider creating a mount in the bottom of the case to place the hard drives in and also the airflow isn’t particularly that great. I have no intake fan at the front and so the hard drives are running slightly warmer than they should do. The mesh look of the case also means dust can quite easily enter and settle inside the case. I’ve been researching ways to stop this while not reducing air flow and a recommended solution is to use a stretched pair of tights.

Mac Build 2011- Day 13- Adding Power Extension

The ETX extension arrived and I could tuck it neatly underneath the motherboard tray. The only thing I was missing now as a way of turning it on, seeing as the front panel connectors weren’t connected.

The PowerMac front connector used 1 cable with 18 pins that plugged into the mac motherboard to power the firewire, audio, USB, power button and LED connectors.  This was no good for ATX, so I came across this thread (http://www.insanelymac.com/forum/index.php?showtopic=222735) where a guy in Spain hand made the cables suitable for ATX motherboards.

At €30 it seemed quite expensive and I was slightly dubious sending this amount of money to someone on a forum in another country, but when it the cable arrived I was impressed. It was braided beautifully and worked perfectly.

Mac Build 2011- Day 12- Adding Components

The case was ready to add my components. While the case was empty, I fed the modular power supply cables up to the top shelf and into the power supply. I then added the motherboard (with the CPU, heatsink and RAM already attacked) followed by the optical drive.

It did turn out to be a bit of a squeeze fitting the optical drive in, but as long as it’s an 18cm deep drive you’ll be fine. I then discovered my 4/8 pin ETX power connector wasn’t long enough, now the motherboard was mounted upside down. A quick trip to eBay and I found a 30cm extension for £3 with next day delivery.

All I had left to add was the graphics card and the hard drives. I reckon a 30cm graphics card should just about fit in the case before hitting the hard drive cages.

Mac Build 2011- Day 11- Mounting the Hard Drives & PSU Plug

The case came with a 2 bay hard drive cage using screws with rubber heads to hold the hard drives into the rails. While this seems a great idea to reduce vibrations, normal screws won’t fit in the rails particularly well and finding suitable screws took a while. If you want to get originals, they go for around £8 for a pack 4 on eBay (i.e £8 per hard drive). Since I have an SSD and 3x 3.5” drives, I needed to get another identical cage or find something else. I could also have made my own bracket to mount the hard drives in the bottom of the case to lower the centre of gravity, but in the end I bought another Apple cage for £15 on eBay.

The plan was to fix the 2 cages together and then mount them in the case. The cages have 4 plastic lumps on each side which held then in place originally, but now these were in the way and so were removed with a Stanley knife. I drilled 3 holes in each side and fitted small nut and bolts and the 2 cages now sat flush together.

I then drilled 2 larger holes in each side and these would be used to mount the cages to the top shelf under the optical drive. The main choice when drilling is whether you want the rotating locks that hold the hard drives in to be on the left side (front of the case) or right side. I chose on the left, to give slightly more space for large graphics card if needs be. The only downside to this is that the hard drives are mounted upside down.

For now, I didn’t have the time to find a way to mount the power supply connector in the back of the case. I bought a right angled kettle plug and stripped the end off an old kettle lead. I fed the wire through an unused PCI bracket and up through the top shelf and soldered on the plug. While not ideal, it does keep the back of the case intact for now.

Mac Build 2011- Day 10- Mounting the PSU

With the PSU in place on the top shelf, I drew around it in pencil. I then removed the fan cover and from this I could work out where I needed to cut a hole in the top shelf for the fan to poke through. Unfortunately one of the four screw holes doesn’t pass through the top shelf as there was already a hole there from existing cables to pass through. But with the other 3 in place the power supply has a tight fit. There are barely a couple of millimetres between the power supply and the top of the case.

Mac Build 2011- Day 9- PSU Location and Connector

Now that I had decide to mount the power supply in the top, the next decision was how far forward or back I should mount it. The issues here were the space required between the back of the optical drive and modular cables from the power supply, and space between the power supply and the back of the case. At first thought, it would seem mounting it at the back of the case would be best, however the corner of the case curves so there’s nearly a 5cm gap between the power supply and the back of the case. 

This would also leave space to for the power supply plug. I wanted to keep the case as clean as possible on the outside, so I plan to use the original power supply cable and connector.