Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Virtual Bitlocker Containers - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Virtual Bitlocker Containers

This week, I got an interesting question from a customer: "What do you recommend to safely store files in a directory on my laptop?". They are plenty of ways to achieve this, the right choice depending on the encryption reliability, the ease of use and maybe some technical requirements. Sometimes, a simple encrypted zip file will do the job, sometimes something stronger is mandatory. In Microsoft environments, Bitlocker is a nice solution since Windows 7. But it was not the right choice for my customer, he did not want to use Bitlocker in its "FDE" ("Full Disk Encryption") way. For years, I'm a big fan of TrueCrypt which is able to work with partitions but also with containers. When not used, those are seen just as big binary files for the operating system. Since the bad story that happened to TrueCrypt, I switched to GostCrypt, a 100% compatible alternative developed by a group of universities.

If your environment is fully running on top of Windows OS, why not use Bitlocker after all? If it's not possible to encrypt a single directory (as requested by my customer), why not create a container "in the TrueCrypt way"? Do you know that Windows is able to create virtual disk and mount them like a "mount -o loop" on Linux? This operation is achieved with diskpart, a command line tool available in C:\Windows\System32.

Start a command prompt, launch "diskpart" and a new command line window will open: (Note: you will be playing with the file system, so administrator's privileges are required!)

Let's go! First we must create a virtual disk of the size you need, the size being in MB: (Keep in mind that Bitlocker requires a minimum disk size to be enabled)

DISKPART> create vdisk file="c:\container.vhd" maximum=120 type=fixed
  100 percent completed
​DiskPart successfully created the virtual disk file.

Now, the next steps are to select the virtual disk, create a single partition and format it in NTFS:

DISKPART> select vdisk file="c:\container.vhd"
​DiskPart successfully selected the virtual disk file.
​DISKPART> attach vdisk
  100 percent completed
​DiskPart successfully attached the virtual disk file.
​DISKPART> list vdisk
  VDisk ###  Disk ###  State                 Type       File
  ---------  --------  --------------------  ---------  ----
* VDisk 0    Disk 1    Attached not open     Fixed       c:\container.vhd
​DISKPART> list partition
There are no partitions on this disk to show.
​DISKPART> create partition primary
​DiskPart succeeded in creating the specified partition.
​DISKPART> list partition
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
* Partition 1    Primary             18 MB    64 KB
​DISKPART> select partition 1
Partition 1 is now the selected partition.
​DISKPART> format fs=ntfs label="Secret Container"
  100 percent completed
​DiskPart successfully formatted the volume.
​DISKPART> active
DiskPart marked the current partition as active.
​DISKPART> assign letter=q
​DiskPart successfully assigned the drive letter or mount point.
​DISKPART> exit

You should now see a new disk connected:


The next step is to enable Bitlocker on the container and configure it like a normal disk. Right click on the new drive and configure Bitlocker as usual.
Once completed, the disk looks like a normal Bitlocker container:

To unmount the container, use the "detach vdisk" command in diskpart.

To make the container available after a reboot, the operation to mount the vdisk can be automated via a simple script:

select vdisk file="c:\container.vhd"
select partition 1
attach vdisk

You can execute this script via the following command. Once mounted, the classic Bitlocker pop-up windows will ask you the password to unlock the container.

C:\> diskpart /s bitlocker.txt

With this method, you can easily exchange Bitlocker containers with peers, you can create multiple containers for multiple projects and you can create containers on USB disks without having to reserve the entire space for this purpose!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

Xme

418 Posts
ISC Handler
Hello,

GostCrypt ??

https://en.wikipedia.org/wiki/GOST_%28block_cipher%29#Cryptanalysis_of_GOST

Radomir Tomis
rts

3 Posts
This could also be done over the network to achieve client-side encryption, but the downside (apart from the requirement of administrative rights) is that the files can only be accessed by one individual at a time. Does anyone know if administrative rights for these kind of activities can be delegated? (as it is done in Linux with sudo)
Enos

1 Posts
Hello,

GostCrypt ??

https://en.wikipedia.org/wiki/GOST_%28block_cipher%29#Cryptanalysis_of_GOST

Radomir
rts

3 Posts
Great diary - I have always found that repeatable and easy-to-follow instructions using built-in functionality is an elegant and smart way to build functionality. For most businesses this is affordable (already paid for), available (already there) and attainable (you can do this!).

Once you have functionality you can think of use cases. We have one here, a secure container for files. Another could be for "offline" storage of a bitcoin wallet? An "offline" backup that ransomware won't touch? Others?
dotBATman

66 Posts
(Edit - got the time to test this)
The reattach script does not need to select a volume in my setup (Windows 10), just select vdisk and attach vdisk.

There is no need for managing keys - only password needed.
That is easy (easier) to manage!

Note! A recovery key will be created and multiple methods for managing that are available. Keep in mind that if someone gives you one of these volumes it is not enough to change the password to lock them out, they could be holding the recovery key. To be safe you would have to decrypt the volume and reenable bitlocker once more; new recovery key and password.
dotBATman

66 Posts
The disk need to be attached indeed. Thanks for testing and your feedback!
Xme

418 Posts
ISC Handler
Quoting Enos:Does anyone know if administrative rights for these kind of activities can be delegated? (as it is done in Linux with sudo)


Create a scheduled task to be run under SYSTEM or Administrator account and grant the user the permission to run this scheduled task.
Anonymous
Quoting rts:GostCrypt ??


Has all the features and bugs of TrueCrypt too, including http://seclists.org/fulldisclosure/2016/Jan/22
Anonymous
On Windows Windows 10 (and if I remember correctly, 8.1), you don't really need diskpart to (un)mount the drive manually:

- To mount the .vhd just double-click it (or any shortcut to it), it will show UAC/login-as-admin prompt (depending on your settings and account type), then you will get the BitLocker popup;
- To unmount it you can right-click->eject directly from the File Explorer (again UAC/login-as-admin prompt may appear).

Bonus : when you double-click the vhd and it's already mounted, file explorer will open a window pointing to the volume root directly (provided you unlocked the volume).

Works at my workplace on several machines on Win10 Pro x64
IcePanther

1 Posts
Quoting IcePanther:On Windows Windows 10 (and if I remember correctly, 8.1), you don't really need diskpart to (un)mount the drive manually:

- To mount the .vhd just double-click it (or any shortcut to it), it will show UAC/login-as-admin prompt (depending on your settings and account type), then you will get the BitLocker popup;
- To unmount it you can right-click->eject directly from the File Explorer (again UAC/login-as-admin prompt may appear).

Bonus : when you double-click the vhd and it's already mounted, file explorer will open a window pointing to the volume root directly (provided you unlocked the volume).

Works at my workplace on several machines on Win10 Pro x64


Nice point about simple double-click, IcePanther. I had found that Eject works, that is also a lot easier! Too bad we can't use this with regular user access, allthough I certainly see why it has to be this way for virtual hard disks. Would be nice if a virtual USB stick could be made available without admin rights.

I think the Scheduled tasks launched scripts, with permissions to be run by regular (interactive?) users, would provide value in this case, as stated by "Anonymous" above. What if we could make them event driven, so that if a user double-clicks the exact volume it gets mounted by the script? Nah, too complicated - won't be used... But I still believe this can be used for good things, such as a scheduled backup task that runs locally and hides the backup in a bitlocker encrypted volume.
dotBATman

66 Posts

Sign Up for Free or Log In to start participating in the conversation!