locked
How to determine whether a volume is encrypted with bitlocker using Win32 API? RRS feed

  • Question

  • Hello,

    Is there a way within the Win32 API to determine whether a volume is encrypted with BitLocker?  Are there any special privs required to determine this answer?  GetVolumeInformation() reports whether the volume will support encryption, but does not specifically speak to BitLocker.

    Thank you for your help!
    Mike
    Monday, October 12, 2009 12:10 AM

Answers

  • There are two WMI methods that can be used to determine whether a volume is BitLockered: GetEncryptionMethod and GetProtectionStatus.  I wrote a script and ran it with my BitLockered volume locked, unlocked, and I ran it against a non-BitLocker volume.  Here are the results:

    Volume              Encryption        Protection
    Status                Method             Status
    ----------------------------------------------
    LOCKED                 1                    2
    UNLOCKED             1                    1
    ----------------------------------------------
    NOT BITLOCKED     0                    0

    So,

    GetEncryptionMethod is great to simply answer the question of whether or not a volume is BitLocker encrypted.

    GetProtectionStatus is great to answer whether the volume is locked or unlocked. 

    GetEncryptionMethod's indication of a volume not being encrypted is definitive, whereas GetProtectionStatus' indication of zero simply means that protection is off (unencrypted, partially encrypted, or the encryption key is available in the clear on the hard drive).

    Here is a little vbs script that I used for my analysis:

    dim emval, em, psval, ps, drv
    arrComputers = Array(".")
    For Each strComputer In arrComputers

      Set objWMIService = GetObject("winmgmts:\\" & strComputer _
                     & "\root\CIMV2\Security\MicrosoftVolumeEncryption")

      Set volumes = objWMIService.InstancesOf("Win32_EncryptableVolume")

      for each volume In volumes
          emval = volume.GetEncryptionMethod(em)
          psval = volume.GetProtectionStatus(ps)
          drv = volume.DriveLetter
          WScript.Echo drv, "em=", em, "ps=", ps
      Next
    Next


    ================================================
    Alternatively, I've just found the following Win32 function, which requires
    at least Vista.


    DetectEncryptedVolume Function

    Determines whether the volume is encrypted with BitLocker technology. If the volume is encrypted, the function determines whether it is unlocked.

    Syntax
    C++ BOOL WINAPI DetectEncryptedVolume(
      __in   PFILE_RESTORE_CONTEXT Context,
      __out  PDWORD VolumeEncryptionInfo
    );
    Parameters
    Context [in]
    A pointer to the file restore context that was created by calling the CreateFileRestoreContext function.

    VolumeEncryptionInfo [out]
    The status of the volume. The value can be VOLUME_INFO_ENCRYPTED or VOLUME_INFO_LOCKED.

    Return Value
    If the function succeeds, the return value is nonzero.

    If the function fails, the return value is zero. To get extended error information, call GetLastError.

    Requirements
    Minimum supported client Windows Vista
    Minimum supported server Windows Server 2008
    Header Fmapi.h
    Library Fmapi.lib
    DLL Fmapi.dll

    • Proposed as answer by Fisnik Hasani Wednesday, October 14, 2009 5:32 PM
    • Edited by ABOHAK Thursday, October 15, 2009 9:05 AM
    • Marked as answer by ABOHAK Thursday, October 15, 2009 9:05 AM
    Wednesday, October 14, 2009 7:03 AM

All replies

  • Hello Mike:

    You can use the Win32_EncryptableVolume Class and you can use
    it through the Windows Management Instrumentation (WMI), here you
    can check for Win32_Tpm class and Win32_EncryptableVolume class

    For further reading
    Security WMI Providers (MSDN Library)
    BitLocker Drive Encryption Provider (MSDN Library)
    Detecting BitLocker (MSDN Blog).

    I hope the above helps...

    Have a nice day...

    Best regards,
    Fisnik

    Coder24.com
    • Proposed as answer by Fisnik Hasani Wednesday, October 14, 2009 5:32 PM
    Monday, October 12, 2009 4:34 PM
  • Hi Fisnik,

    Thank you for the great information!  From it, and my other research, here is what I have learned:

    1) There is no direct Win32 API method to determine whether a volume is BitLocker'ed;

    2) The preferred method to detect BitLocker Drives is using WMI GetEncryptionMethod in the Win32_EncryptableVolume Class:
    http://msdn.microsoft.com/en-us/library/aa376434(VS.85).aspx

    3) An alternative method, but discouraged: Detecting BitLocker drives via hard drive signature:
    http://blogs.msdn.com/si_team/archive/2006/10/26/detecting-bitlocker.aspx

    Time to get coding!

    Have a great day!

    Mike

    Wednesday, October 14, 2009 5:01 AM
  • Hello Mike:

    Wonderful, and now you will start off by coding it.
    BTW, Is this thread solved now?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, October 14, 2009 5:24 AM
  • There are two WMI methods that can be used to determine whether a volume is BitLockered: GetEncryptionMethod and GetProtectionStatus.  I wrote a script and ran it with my BitLockered volume locked, unlocked, and I ran it against a non-BitLocker volume.  Here are the results:

    Volume              Encryption        Protection
    Status                Method             Status
    ----------------------------------------------
    LOCKED                 1                    2
    UNLOCKED             1                    1
    ----------------------------------------------
    NOT BITLOCKED     0                    0

    So,

    GetEncryptionMethod is great to simply answer the question of whether or not a volume is BitLocker encrypted.

    GetProtectionStatus is great to answer whether the volume is locked or unlocked. 

    GetEncryptionMethod's indication of a volume not being encrypted is definitive, whereas GetProtectionStatus' indication of zero simply means that protection is off (unencrypted, partially encrypted, or the encryption key is available in the clear on the hard drive).

    Here is a little vbs script that I used for my analysis:

    dim emval, em, psval, ps, drv
    arrComputers = Array(".")
    For Each strComputer In arrComputers

      Set objWMIService = GetObject("winmgmts:\\" & strComputer _
                     & "\root\CIMV2\Security\MicrosoftVolumeEncryption")

      Set volumes = objWMIService.InstancesOf("Win32_EncryptableVolume")

      for each volume In volumes
          emval = volume.GetEncryptionMethod(em)
          psval = volume.GetProtectionStatus(ps)
          drv = volume.DriveLetter
          WScript.Echo drv, "em=", em, "ps=", ps
      Next
    Next


    ================================================
    Alternatively, I've just found the following Win32 function, which requires
    at least Vista.


    DetectEncryptedVolume Function

    Determines whether the volume is encrypted with BitLocker technology. If the volume is encrypted, the function determines whether it is unlocked.

    Syntax
    C++ BOOL WINAPI DetectEncryptedVolume(
      __in   PFILE_RESTORE_CONTEXT Context,
      __out  PDWORD VolumeEncryptionInfo
    );
    Parameters
    Context [in]
    A pointer to the file restore context that was created by calling the CreateFileRestoreContext function.

    VolumeEncryptionInfo [out]
    The status of the volume. The value can be VOLUME_INFO_ENCRYPTED or VOLUME_INFO_LOCKED.

    Return Value
    If the function succeeds, the return value is nonzero.

    If the function fails, the return value is zero. To get extended error information, call GetLastError.

    Requirements
    Minimum supported client Windows Vista
    Minimum supported server Windows Server 2008
    Header Fmapi.h
    Library Fmapi.lib
    DLL Fmapi.dll

    • Proposed as answer by Fisnik Hasani Wednesday, October 14, 2009 5:32 PM
    • Edited by ABOHAK Thursday, October 15, 2009 9:05 AM
    • Marked as answer by ABOHAK Thursday, October 15, 2009 9:05 AM
    Wednesday, October 14, 2009 7:03 AM
  • Hi Mike:

    Thanks for sharing!

    Is this thread solved?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, October 14, 2009 5:32 PM
  • Requesting you to post a code using VB 2010
    Monday, January 30, 2012 8:56 AM