Virtual Bitlocker Containers

A few days ago a post on the Sans.org diary caught my attention because of its title: Virtual Bitlocker Containers. Very nice idea 😀

But instead of going through the old school diskpart.exe hassle, you can actually bring more automation with PowerShell with the following oneliner:


# Define a hashtable for readability
$BLHT = @{
 EncryptionMethod  = 'XtsAes256';
 PasswordProtector = $true;
 Password = (ConvertTo-SecureString 12345678 -AsPlainText -Force);
 UsedSpaceOnly = $true;
}

# Here we go!
New-VHD -Path c:\container.vhdx -SizeBytes 128MB -Fixed | 
Mount-VHD -Passthru | 
Initialize-Disk -PassThru | 
New-Partition -UseMaximumSize -AssignDriveLetter | 
Format-Volume -FileSystem NTFS | 
Select @{l='MountPoint';e={"$($_.DriveLetter):"}} |
Enable-BitLocker @BLHT | 
Add-BitLockerKeyProtector -RecoveryPasswordProtector -WA 0

NB1: XTS-AES encryption method is introduced in Windows 10 version 1511.
NB2: WA is the alias of WarningAction and 0 means SilentlyContinue.
You can try the oneliner without it and the recovery key will be displayed in the warning stream.

So, don’t forget to

# save the recovery key displayed by this command, somewhere...
Get-BitLockerVolume d: | Select -Expand KeyProtector

Bitlocker-Container-OneLiner

Bonus: about XTS-AES
Bitlocker-New-XTS-AES

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s