Unlock Bitlocker encrypted volumes#450
Open
petrutlucian94 wants to merge 5 commits into
Open
Conversation
petrutlucian94
force-pushed
the
bitlocker
branch
2 times, most recently
from
f50bb18 to
aeb63af
Compare
Just like in case of LUKS (cloudbase#436), we'll let Coriolis users specify a BitLocker recovery password. At the very least it should unlock the OS volume, however it may be used for other encrypted volumes as well. If no encrypted volume could be unlocked using the specified key, Coriolis will error out. In addition to that, we'll temporarily suspend BitLocker on the specified volumes. It won't decrypt the volumes, it merely adds a publicly accessible protector that allows the replica instance to boot. Once the replica instance boots, BitLocker will be resumed automatically and the TPM protector will be reconfigured.
petrutlucian94
force-pushed
the
bitlocker
branch
2 times, most recently
from
bb070d2 to
30d2d48
Compare
Unfortunately the "-RebootCount" parameter of "Suspend-BitLocker" isn't honored, perhaps due to the fact that the disks are attached to a different VM. For this reason, we'll inject a first-boot script to resume BitLocker explicitly.
claudiubelu
reviewed
Jun 8, 2026
| "Could not unlock volume %s using the specified " | ||
| "recovery password.", | ||
| encrypted_volume_id) | ||
| continue |
Member
There was a problem hiding this comment.
we are talking about encrypted data here. Shouldn't we panic / raise a bit more if this is the case? If this is the case (this exception occured for the additional disks), and we proceed with the OS morphing and replica start, we'll see the VM start and consider that a success, but the other disks are still locked. If the disks are TPM-locked, can they still be recovered / unlocked, if a recovery password was not set up beforehand?
Member
Author
There was a problem hiding this comment.
Not really, we mainly care about the OS drive. In most cases, Windows group policies won't even allow re-using the same password for multiple disks.
Coriolis currently logs sensitive information, the executed PowerShell commands among other things: cloudbase#450 (comment) We'll reuse the sanitization helpers from oslo.utils.
petrutlucian94
force-pushed
the
bitlocker
branch
4 times, most recently
from
de94241 to
d3578f1
Compare
We'll use "mask_dict_password" from oslo.utils to sanitize task info and os morphing info dicts. This covers a wide variety of keys that are expected to contain sensitive data, including the ones used for BitLocker and LUKS keys.
We need to resume BitLocker if the os-morphing process fails, otherwise the disks will remain publicly open. "install_encryption_firstboot_setup" is the last method called during os-morphing, we can suspend Bitlocker there and resume it in case of failures. While at it, we'll move "_unlock_encrypted_volumes" next to "_unlock_encrypted_volume".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Just like in case of LUKS (#436), we'll let Coriolis users specify a BitLocker recovery password.
At the very least it should unlock the OS volume, however it may be used for other encrypted volumes as well. If no encrypted volume could be unlocked using the specified key, Coriolis will error out.
In addition to that, we'll temporarily suspend BitLocker on the specified volumes. It won't decrypt the volumes, it merely adds a publicly accessible protector that allows the replica instance to boot.
Once the replica instance boots, BitLocker will be resumed automatically and the TPM protector will be reconfigured.
While at it, we'll use
oslo_utils.strutils.mask_passwordandoslo_utils.strutils.mask_dict_passwordin various places to avoid logging sensitive information, such as the Bitlocker recovery key.