BitLocker asking for protection code after Ubuntu installation

Question

I have just installed Ubuntu side-by-side to a Windows 10 partition shipped on a new laptop.

Meaning, the laptop shipped with Windows 10, and I installed Ubuntu alongside the Windows partition using an Ubuntu Desktop installation ISO through a flash drive.

Now every time I boot into the Windows boot manager, BitLocker wants me to enter the long BitLocker recovery key. A few questions ―

1. Why actually is BitLocker affected by the new boot loader set up by Ubuntu? a naive thought would be that the BitLocker decryption key is stored on the motherboard TPM, and isn't affected by a new boot loader installation, and that is probably true as otherwise Windows would no longer be able to read its own files. So why is BitLocker even requiring the recovery key now?
2. The Ubuntu side-by-side install said something about fiddling boot protection, but it remains elusive whether that's related to the TPM or a separate security mechanism.
3. The Ubuntu installer even asked for a pass-phrase that should help re-establish secure boot, but I was not prompted to use it anywhere after booting with neither the Ubuntu nor the Windows boot loaders, after the install.
4. How do I make BitLocker trustful again? in Windows 10, I only see an option to disable disk encryption altogether, but am not sure why can't it just keep going.
5. Turning encryption off and then on (in Windows) seems like an overkill and I've no idea, whether it will scramble my Ubuntu partition while at it.

In Windows, after supplying the recovery key, I can see that device encryption is on. So my understanding is that my Windows partition is still decrypting its own files, whereas my Ubuntu partition isn't asking the TPM to encrypt its files when writing them nor decrypt them when reading them.

Answer 1

This issue is that Windows does not consider GRUB as a secure component. Thus, whenever you boot to Windows coming from GRUB, Windows considers the boot sequence might have been compromised, and forces a key re-entry.

The only way I know to fix this is to not use GRUB altogether. You can either

• choose the boot sequence directly through your BIOS menu (the solution I use, I just have to enter F12 during boot, and BIOS gives the choice between the boot scenarios)
• or use Windows bootloader and add the linux options to it (See here how to achieve that).

Answer 2

I solved this by going to "Bitlocker" --> "Suspend Encryption" --> Restart Windows 10 --> Select Windows bootloader in GRUB --> Windows 10 encryption was enabled again but it's not asking anymore for the Encryption long KEY.

I have 1 single SSD with: - Windows 10 (UEFI / GPT) Bitlocker - Ubuntu: (3 partitions: boot, root and home).

Answer 3

Late to the party, but as of 04/2022, installing Mint 20.3 on a Dell E6530 next to a bitlocker-enabled Windows 10 partition on the same drive and Secure Boot disabled, I was hit by this problem too and could not solve it using the various answers on this thread or on many others:

• Suspending protection did not work
• Decrypting and re-encrypting the disk did not work:
  • when rebooting to test before encryption, the message 'The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically. C: was not encrypted' popped up.
  • when bypassing the test, encryption succeeded but I had to enter the recovery key at every boot
• @jean-bernard-jensen's answer, adapted to my case with TPMAndPIN instead of TPM did not work either. Secure boot is disabled so my PCR profile is 0,2,4,11. The fact that the PCR profile remained the same was the reason it did not work.

What worked:

• Boot into Windows (with your recovery key, which I assume you will have extracted and have at hand in case anything goes wrong in the rest of the process)
• Open the Group Policy Editor (type gpedit after opening the start menu) and navigate to Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
• Open the policy settings for 'Configure TPM platform validation profile for native UEFI firmware configurations'
• Select 'Enabled'
• Untick 'PCR 4: Boot Manager'
• Open an elevated command prompt and use the following commands (you can probably replace TPMAndPin by TPM):
  • manage-bde -protectors -delete C: -type TPMAndPIN
  • manage-bde -protectors -add C: -TPMAndPIN (I'm asked to set a new PIN, which can be the same as before)
• Reboot
• Enjoy!

Once my setup is over - I may need to resize the partitions in the short/medium term - I will probably go through this again to enable PCR 5: GPT / Partition Table in the PCR profile.

As a side note, once you are past that stage, your next step will probably be to set up an encrypted drive that you can share between windows and linux. For this you may want to have a look at VeraCrypt, which can automount the same encrypted drive on both OSes at login using keyfiles, and has many other great features (hidden volume). You could also get rid of Bitlocker altogether and use VeraCrypt for your system volume but that's another story...

Answer 4

I had this problem as well, and I found this workaround by accident:

With my setup, I get GRUB screen, where I can select between these options:

• Ubuntu
• Advanced options for Ubuntu
• Windows Boot Manager (on /dev/sda2)
• System Setup

When I select the Windows Boot Manager option, I get stopped at the BitLocker recovery screen.

However, if I simply hit ESC, I am taken to a GRUB terminal. When I enter exit into the terminal, the terminal disappears, and Windows starts up. With this flow, I don't hit the BitLocker recovery screen.

Answer 5

With a lot of help from the kind people in the comments, I was able to elegantly get past the problem. This was the elegant solution, taken from here:

To make BitLocker regain trust, I simply disabled and then re-enabled BitLocker:

C:\Windows\system32\manage-bde.exe" -protectors -enable c:

C:\Windows\system32\manage-bde.exe" -protectors -disable c:

I assume that now Windows uses BitLocker and disk encryption through the TPM just as before, and Ubuntu simply does not.

It is possible to install some Ubuntu stuff that makes it work like BitLocker (thusly presumably also enabling sharing partitions between Windows and Ubuntu), but I think that for now Ubuntu does not use the TPM hardware, so it would store the entire encryption key on disk, defeating the purpose of the encryption, so not worth it I guess.

So BitLocker was aware of the boot manipulation, justifiably causing it to await a trust regaining event even though the TPM integration remained intact. Entering the protection key and then Using the above couple of commands in Windows, made it re-enter the state of trust, regaining normal operation.

Answer 6

I ended up exactly with this situation. After a little bit of research I found this page: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan

Which was very informative. To sumarize what I found, after loging in into windows by providing the key to bypass bitlocker, I opened an admin console (WindowsKey+X, then select "Windows power shell") and ran this command:

manage-bde -forcerecovery c:

That assuming that you are recovering your windows installation in drive c:

This did the trick permanently. I hope this helps others with the same problem.

Answer 7

The answer @matt found is on the right track but is incomplete. You can definitely setup your TPM to accept your double boot, and you can do it without disabling Bitlocker and decrypting your data. The basic idea is to reset the TPM register so they contain the new signatures of your boot setup. To do that, proceed as follows.

In the next steps, I assume you have a single BitLocker protected volume labeled C:.

1 - Backup your recovery key

Their is multiple ways to do that documented on the internet. One of them is to run the following command in an admin prompt.

Manage-bde -protectors -get C:

It will display your recovery key as well as the enabled TPM protectors. Write down your key, as well as the list of the PCR Validation Profile used by your TPM. It is a list of numbers, like 7,11 or 0,2,4,11.

2 - Disable the TPM protectors

Execute the following command:

Manage-bde -protectors -delete C: -type TPM

You can run the get afterwards to see your disk is still protected by your recovery key. Alternatively, you could remove all protectors, but that means you will have to recreate a recovery key afterwards too.

3 - Setup your boot like you want it

Do your SecureBoot setup in the order you want. When finished, boot into Windows and re-enable the TPM protectors.

Manage-bde -protectors -add C: -TPM

Check the get again to see if the PCR Validation Profile is the same. If yes, you are all good. If not (which was my case), and you want to restore or customize it, open the Group Policy Editor utility, navigate to Computer Configuration-> Administrative Templates -> Windows Components -> Bitlokcer Drive Encryption -> Operating System Drives, and open Configure TPM platform validation for native UEFI firmware configurations. Enable it, and in the bottom left, check the list of PCR Profile you want enabled. Match your original list (or create a custom one if you know what you do), then apply and save.

Go back to the command line and create the TPM Protectors again.

4 - Enjoy

The PCR Profile 7 is the one storing your Secure Boot signature. If you applied it once booted with the fully configured boot, you can enjoy a smooth and secure double boot.

Appendix

If this method fails, you can decide to wipe all protectors instead of just the TPM ones during the SecureBoot setup. In that case, the encryption key is stored as plain text on the disk, so your data is not secured but not unencrypted either. If you do so, do not forget to create a new recovery key once you are done:

Manage-bde -protectors -add C: -RecoveryKey

Be careful, it is a new one, that you must write down and/or backup again.

Answer 8

Simply go to https://account.microsoft.com and Go to your device details and go to "Manage recovery keys" Menu. There you can see the recovery key

Answer 9

The only solution I've found is to change the boot order in the bios to let Windows Bootloader be on top. This method makes booting Ubuntu a bit troublesome, as I have to stop normal boot and choose Select a Temporary Boot Device in order to enter grub from there. This way I can avoid Bitlocker getting angry at grub and asking for a key if I want to use Windows. For me it's not a big problem as I mainly use Windows to do most of my work.

Answer 10

There's a really good answer here: Ubuntu Windows 10 Dual boot with TPM & Bitlocker from user1686.

It tells you how to configure the EFI Boot Manager so that you can boot directly into windows and avoid the recovery key prompt, but then also set it to boot to Linux on the next go around, or vice versa. Basically by telling the firmware to boot directly into either OS, instead of going through GRUB, you can get dual boot and windows / bitlocker will be happy.