BitLocker recovery key for offline devices

[JSkolnik]

As a technical team, we would welcome a Bitlocker recovery key stored in the dashboard. The use case is for the case when the computer performs a BIOS flash incorrectly and asks the user to enter a key that he does not know, because the HW vendor has enabled encryption by default with the key stored in the TPM. Or when replacing the motherboard. These are cases where the computer is offline and it is not possible to read the key from powershell or sysinfo.
Would it be possible for the agent to load the recovery key and store it in the database, then display it in the Meshcentral dashboard? The display can be on demand after entering the password.

[si458]

how does this look?
you can hover over the string and click to display a message with the key OR click the little key icon for same thing
ALSO the little key will ONLY show IF it knows a recoveryPassword, it not the key is hidden, but will still show Fully Encrypted
just carry on working on doing the pop up box tomorrow 👍

[si458]

how does this look? im TERRIBLE at making GUI interfaces!?

[JSkolnik]

Cool!
Perhaps the identifier for which the recovery code is displayed should also be displayed.
Good job!

[si458]

what do you mean identifier sorry? i currently only get the drive letter, status, protectionstatus, password ?
this is the information that gets outputted for the recovery key

PS C:\Users\ASUS> manage-bde -protectors -get C: -Type recoverypassword
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [OS]
Key Protectors of Type Numerical Password

    Numerical Password:
      ID: {CC8EEA4F-9DCF-XXXX-XXXX-XXXX-XXXX-XXXX}
      Password:
        505109-477147-XXXXXX-XXXXXX-XXXXXXX-XXXXXXX-XXXX

[JSkolnik]

It is this parameter:
Numerical Password:
ID: {CC8EEA4F-9DCF-XXXX-XXXX-XXXX-XXXX-XXXX}

I'm wondering if this feature should only be accessible to certain permissions in MeshCentral. For example for "admin". Because the MC can be accessed by a team (for example, a team of operators) that should not see the recovery key.

[si458]

@JSkolnik i realised the minute i clicked 'Comment' what you meant haha!
and yes i agree the view key should only be shown for 'admin' accounts, i just need to check with @Ylianst about the user permissions and how they work!?

EDIT: i think to begin with i will show they key icon IF the user is an admin account, THEN later ill check with @Ylianst about the user permissions etc

[JSkolnik]

Great thanks.

[arduin0guru]

Great job *******************************

[si458]

better?

@arduin0guru also the key/identifier SHOULD be stored in the database now too!

[arduin0guru]

Yes, better than ever.

[JSkolnik]

Yes, it looks great.

[si458]

still need to do the permissions but slowly getting there 👍

[si458]

done a draft PR, its only 2 files that you need to update IF you wanted to try the GUI for me!?
i havent added it to the mobile UI as wasnt sure if that was needed or not?

[JSkolnik]

I'll be happy to try.
The mobile version is probably not needed.

[si458]

@JSkolnik great! you can just copy the 3 (sorry forgot to upload the key icon haha), from the PR above, replace on your meshcentral, then restart and see if it works!?

[arduin0guru]

Copy both files and restarted server but no update on GUI !!!!!

[si458]

@arduin0guru the was 3 files sorry, I forgot the icon (sorry you might to copy that too)
Also u will only see the key icon IF you user is the SITEADMIN
But you should still be abke to just click the green text

Also one thing u can check is go into the console tab and type coreinfo, and check the reply shows volumes, ur drives, then recoverypassword/identifiers etc...

[arduin0guru]

It's working after updating ICON file

[si458]

It's working after updating ICON file

My bad! Forgot the icon when did the pr, so had to push it into the pr doh!

[Ylianst]

The upcoming version of MeshCentral will have storage volumes in the details tab and, if you are administrator of the device group and BitLocker is enabled on a volume, you can see the recovery password by clicking on the small key.

[smartekIT]

I already updated to the new version 1.21 , I'm getting this which has no where to click to show the BitLocker key. also when do command bitlocker under console tab

[smartekIT]

by the way, I'm administrator on the whole system and also the creator for that group and that device !

[JSkolnik]

@smartekIT what is your output from the command: manage-bde -protectors -get C: -Type recoverypassword

[JSkolnik]

@Ylianst @si458 Great. After updating to version 1.1.21 it works. Good work.

[si458]

@smartekIT hmm weird? Will have to test on an external drive, as I only have it enabled on my local drive.
Can u go into the bitlocker panel in windows and save a copy of key?
If u can then it shouod work, will need investigating if the is a different command at all!

Edit. If u do use bitlocker and think it should show a key, then plz open a new issue and we track progress there!

[smartekIT]

ok I just tried it on another machine by turning on the bitlocker. The server detected that and when i compared the identifier and the password they were match.
So for the first machine that it didn't work, we can ignore that for now as it's not part of my local network and I'm not sure how they configured it so it behave like that weird. maybe they didn't configure the TPM properly.

Thanks anyway.

[si458]

@smartekIT I'm guessing it's windows 11 installed on unsupported processor/computer, because it should at least show TPM in the details page in meshcentral. But still amazed how they enabled it without a tpm tho haha

[smartekIT]

@smartekIT I'm guessing it's windows 11 installed on unsupported processor/computer, because it should at least show TPM in the details page in meshcentral. But still amazed how they enabled it without a tpm tho haha

have no idea... very weird :)

[elpibedeoro]

Hi,
Just upgrade to v.1.21 on Debian and I cannot see anymore the bitlocker status in the general panel.
In the details panel, I can see a FullyEncrypted Volume but there is not a small key to show the recovery key (I'm admin of the group).
Is there any options to add at the config.json file to show that ?

Thanks.

[si458]

@elpibedeoro are you a FULL ADMIN USER? or just a normal user with 'admin privileges' for a group of computers?
im wondering if @Ylianst might have set it to FULL ADMIN?

[elpibedeoro]

I've checked with both accounts and the result is the same.

[si458]

whats the output you get if you use the console tab and type bitlocker then volumes ?
whats also the output of manage-bde -protectors -get C: -Type recoverypassword from the cmdline (with admin rights)

[elpibedeoro]

Here is:

> bitlocker
Please wait...
{
 "C": {
  "name": "Systeme",
  "type": "NTFS",
  "size": 510253854720,
  "volumeStatus": "FullyEncrypted",
  "protectionStatus": true
 }
}

and

> volumes
{
 "\\\\?\\Volume{754e4a64-****-****-b0f0-2d611e488db1}\\": {
  "Automount": true,
  "BlockSize": "4096",
  "BootVolume": true,
  "Capacity": "510253854720",
  "Caption": "C:\\",
  "Compressed": false,
  "DeviceID": "\\\\?\\Volume{754e4a64-****-****-b0f0-2d611e488db1}\\",
  "DirtyBitSet": false,
  "DriveLetter": "C:",
  "DriveType": 3,
  "FileSystem": "NTFS",
  "FreeSpace": "405650976768",
  "IndexingEnabled": true,
  "Label": "Systeme",
  "MaximumFileNameLength": 255,
  "Name": "C:\\",
  "PageFilePresent": true,
  "QuotasEnabled": false,
  "QuotasIncomplete": false,
  "QuotasRebuilding": false,
  "SerialNumber": ****,
  "SupportsDiskQuotas": true,
  "SupportsFileBasedCompression": true,
  "SystemName": "*****",
  "ConversionStatus": 1,
  "EncryptionMethod": 6,
  "IsVolumeInitializedForProtection": true,
  "PersistentVolumeID": "{161289ED-****-****-****-F47CBEE22A99}",
  "ProtectionStatus": 1
 },

and to complete:

C:\Program Files\Mesh Agent>manage-bde -protectors -get C: -Type recoverypassword
Chiffrement de lecteur BitLocker: outil de configuration version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. Tous droits réservés.

Volume C: [Systeme]
Protecteurs de clés de type Mot de passe numérique

    Mot de passe numérique :
      ID : {45438C2E-2FE4-****-****-*****}
      Mot de passe :
        ******-******-******-******-******-******-******-******

[si458]

was it working before the 1.0.21 release?
bloody non-english windows... that looks french?
i have to get it to check every translation of 'Password' and 'Numeric Password'

[elpibedeoro]

Yep, it's French and it worked on the 1.0.20.
In this case "password" = "mot de passe numérique"

[si458]

@elpibedeoro can you try
chcp 437 & manage-bde -protectors -get C: -Type recoverypassword from the cmd line?
does it change the language to english?

[elpibedeoro]

Nope, still in French.

[si458]

can you just try downloading this file https://github.com/Ylianst/MeshCentral/blob/french-bitlocker/agents/modules_meshcore/computer-identifiers.js
and replacing computer-identifiers.js in node_modules/meshcentral/agents/modules_meshcore/ ?
then restart meshcentral and try again?
hopefully it should work, added the translations for 'Password' and 'Numeric Password'

[elpibedeoro]

I'm afraid but that still doesn't work :-(

[si458]

@elpibedeoro can you try one more time plz? i forgot the french identifier and spaces in the string from the looks of your output
https://github.com/Ylianst/MeshCentral/blob/french-bitlocker/agents/modules_meshcore/computer-identifiers.js#L448-L454
you can see its changed slightly

[elpibedeoro]

You are almost there, in the General panel still doesn't work but in the Details panel I can see the little key icon and the recovery key now.
The ID seems like is missed

[si458]

whats the output of bitlocker now?

[elpibedeoro]

the output in the console shows the recoveryPassword value now
the output of the "chcp 437 & manage-bde -protectors -get C: -Type recoverypassword" from the cmd line is still in French

[si458]

ok think ive got it! 1 more try plz (same file/location)
more bloody spaces... not sure why windows in french is putting spaces after everything?

[elpibedeoro]

Nothing has changed :-(

[si458]

did you download the file again as i made a few changes? https://github.com/Ylianst/MeshCentral/blob/french-bitlocker/agents/modules_meshcore/computer-identifiers.js

you also wont see it anymore in the general tab as @Ylianst moved it to the details tab instead

is the output of manage-bde -protectors -get C: -Type recoverypassword still the same as above? #5746 (comment)

is the output of bitlocker now showing the recoveryPassword just not identifier ?

[elpibedeoro]

Yes, I did and restarted Meshcentral.
The output of manage-bde -protectors -get C: -Type recoverypassword is still the same but, I think it's obvious but I rather note to avoid any misunderstandings, I did put the * character in the output.
The output of bitlocker command shows the recoveryPassword without the identifier.

About the General Tab, I do have missed the info thanks for reminding me.

[si458]

fixed this time i promise! one more try plz... copy+paste same file
the patch? nextline.startsWith('ID: ') should be nextline.startsWith('ID :') i put the space in the wrong place...
(we still need the first nextline.startsWith('ID:') for english/german`)
ive had a bad nights sleep like 4 hours sleep thats it... my brain decided to take the day off i think...

[elpibedeoro]

You work hard and you do an excellent job but the result is still the same about the identifier, it is not showed.

It's good enough that I can see the recovery key in the console and in the details tab !
A good rest may bring another idea for the identifier maybe? :)
Thank you for your commitment in any case.

[si458]

time to setup a VM in french and hope i remember any of it from my school days!
do you just setup in french? or do you setup in english and add french later?

[si458]

@elpibedeoro ok all fixed now! one finaly try pretty plz
so it appears the meshcore (which uses duktape underneath for its JS) isnt handling numérique correctly because its a special character when it does its checking!
so just told it to look for Mot de passe num instead, as we arent actually interested in that line anyways but the line underneath it!

edit: thank you google lens for translating the setup and installing drivers etc haha

[elpibedeoro]

Oh magnifique ! You get it, great job !
Thanks for your time and for the details, effectively each language has its own "inconveniences" ! :)
Have a nice day

[si458]

@elpibedeoro glad it worked! i still need to research IF the is a way of getting the recovery key from maybe the registry or outputting it to a file then i can read it without having to worry about translations! but baby steps...