The other day I was working with a client in order to ensure that all the USB keys they handed out internally, were encrypted using bitlocker. In this case, we needed a simple way of encrypting 30-40 new, unused USB sticks without having to go through the GUI for each one. So I started looking into doing this using powershell.
A few Google searches later and I had been through the Microsoft documentation as well as a great post blot.matticus.net where he walks through some of his basic thoughts for creating a usbdrivepretool. All good stuff. But first of all: It wouldn’t run on my system at all (kept throwing various errors). Also it was somewhat over-engineered for my purpose. So I figured that I would have a crack at it myself. How hard could it really be?
My requirements
Basically I just wanted to automate the following simple task. I don’t need something highly complex. And I don’t need it to work for other purposes
- I must enter enter a drive letter.
- Script must format the USB stick.
- Script must encrypt the USB stick using Bitlocker.
- All the USB sticks should have the same password.
- All the USB sticks should have the same volume label.
Considerations
Filesystem: To FAT or not to FAT.
By default a USB key is formatted with FAT32. This is an old school file system, which has a few limitation. The reason most USB sticks are still shipped with FAT32 i suspect, is due to backwards and cross platform compatability. When using FAT32, it will work with your old computer, with your smart TV and your new Macbook.
One of the downsides however, is that you cannot store files larger than 4GB/file on a FAT32 FS. A problem if you’re storing large zip archives or movies – Otherwise not really (in the case of my users). Still, I strongly considered using NTFS instead, as we’re talking about USB keys with Bitlocker (i.e. intended for Windows users), so the cross platform and backwards compatibility doesn’t really apply anyway. But I ended up keeping them FAT32 for now.
Recovery password
I specifically didn’t want a recovery password. Even though this may be good practice when encrypting, well – basically any normal drive. In this case however, all the drives are cheap 8GB USB sticks and they all have the same password. If, for some odd reason, the drive cannot be accessed. I would simply re-roll it. So it doesn’t matter whether I have the recovery password – and it would add a level of complexity, managing the devices, which just isn’t required here.
The script
Lets dive into it. The script. After I create my bitlockusb.ps1 file. The first thing i want is to be able to set the drive letter of my USB drive. Simply asking for the drive letter would suffice. To make it a bit easier to use, however, I want to be able to parse the variable when running the script. I.e.
|
1 |
bitlockusb.ps1 e: |
This can be done easily by reading the parameter using Read-Host as such.
|
1 2 3 |
param ( [string]$thisDriveletter = $( Read-Host "What drive do you want to format and bitlock?" ) ) |
Moving on a want a few other variables containing the static password and the label name.
|
1 2 3 4 5 |
# Volume label for the USB stick $thisVolumeLabel = "MY USB stick"; # Creating secure password string for use in script $pass = ConvertTo-SecureString "seCretPassW0rd" -AsPlainText -Force |
Then I need the drive as an object, so that we can work with it down the line.
|
1 2 |
# Getting drive information object $drive = Get-WmiObject -Class win32_volume -Filter "DriveLetter = '$thisDriveletter'" |
The Get-WmiObject contains a bunch of interesting things. Try running this from a powershell prompt, and you will see on the information (or “properties”) for this object. You may be able to use some of them in your own implementation.
|
1 |
Get-WmiObject -Class win32_volume -Filter "DriveLetter = 'c:'" |
Doing the business
First we want to format the drive. The reason for this is, that we will have Bitlocker encrypt used-disk-space-only. The effect is that the encryption process is fully completed in less then a minute, given that the USB stick is empty (thus the formatting). If the USB stick has files on it, this process can take much longer.
|
1 |
$drive.Format("FAT32",$true,4096,"$thisVolumeLabel",$false) |
After that, we start encrypting the drive. We’ll go with an AES256 encryption.
|
1 |
Enable-BitLocker -MountPoint $thisDriveletter -EncryptionMethod Aes256 -UsedSpaceOnly -Password $pass -PasswordProtector |
When the command is done, the encryption process isn’t actually complete. And we don’t want someone to remove the drive, while that’s going on.
Now, you can always tell the state of the encryption process by typing manage-bde -status e:Â (if e: is your drive-letter). But we don’t want to keep checking that manually.
So instead we’ll create a “while”-statement to listen and output something while we wait for it to complete. So while the percentage is less then 100%, write on the screen…
|
1 2 3 |
while ((Get-BitLockerVolume -MountPoint $thisDriveletter).EncryptionPercentage -lt 100){ Write-Host "still working on it..." } |
Then when it’s done, it’s always nice with a status. So it seems suiting to use the manage-bde -status  command here.
|
1 |
manage-bde -status $thisDriveletter |
A tiny level of safety
So in order not to mistakenly format some random drive, we’ll want a dialogue to prompt us if we are sure – before the scripts does it’s thing. So let’s wrap everything in the “doing the business” section of this article, in the following if statement:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# Ask for confirmation and then format the drive $message = "This will erase all data on your $thisDriveletter drive" $question = "Are you sure you want to proceed?" $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription] $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes')) $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No')) $decision = $Host.UI.PromptForChoice($message, $question, $choices, 1) if ($decision -eq 0) { CODE HERE!! } else { Write-Host "Operation cancelled" } |
Then it won’t be that dangerous.
The complete script
Adding a few comments and some explanatory output, the complete scripts looks as follows.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
#================================================================== # Bitlocking USB keys # 2017-11-13 : created by TRA, NHL Data #=================================================================== # USAGE example: bitlockusb.ps1 e: # Otherwise will prompt for driveletter #=================================================================== param ( [string]$thisDriveletter = $( Read-Host "What drive do you want to format and bitlock?" ) ) clear # ========================== # Setting variables # ========================== # Volume label for the USB stick $thisVolumeLabel = "My USB Stick"; # Creating secure password string for use in script $pass = ConvertTo-SecureString "seCretPassW0rd" -AsPlainText -Force # Getting drive information object $drive = Get-WmiObject -Class win32_volume -Filter "DriveLetter = '$thisDriveletter'" # ========================== # Start script # ========================== # Ask for confirmation and then format the drive $message = "This will erase all data on your $thisDriveletter drive" $question = "Are you sure you want to proceed?" $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription] $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes')) $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No')) $decision = $Host.UI.PromptForChoice($message, $question, $choices, 1) if ($decision -eq 0) { Write-Host "Formatting $thisDriveletter..." # formatting drive $drive.Format("FAT32",$true,4096,"$thisVolumeLabel",$false) # encrypting drive Write-Host "Bitlocking $thisDriveletter..." Enable-BitLocker -MountPoint $thisDriveletter -EncryptionMethod Aes256 -UsedSpaceOnly -Password $pass -PasswordProtector # while waiting, show some dots while ((Get-BitLockerVolume -MountPoint $thisDriveletter).EncryptionPercentage -lt 100){ Write-Host "still working on it..." } # when done, show status manage-bde -status $thisDriveletter } else { Write-Host "Operation cancelled" } |
I’m fairly happy with it. Sure, I could think of a number of way to extend it. Make it more clever. Perhaps having it ask again at the end, if you have another drive to format and encrypt. Perhaps making the FS selectable. Perhaps verify that the drive is actually available before it runs, and much much more. So it’s by no mean idiot proof. But for now, and for me, it’s sufficient.
It obviously requires an elevated powershell prompt, aswell as an unencrypted (USB) drive as the target.
Enjoy.
