Page 1 of 2
[RESOLVED] BitLocker IT infrastructure encryption
Published: Dec 4, 2023 - 2:15 PM
by PaulSLA
Hello,
We would like to implement BitLocker in our company. We found the BitLocker Enable and Audit packages for this purpose.
After several attempts, we managed to get BitLocker Enable working on one workstation, but not on the next three, even though they have the same installation. For BitLocker Audit, we are unable to retrieve the keys in Active Directory or WAPT. We understand that a certificate list is required; could you provide more details?
Where can we find more in-depth documentation on encryption and saving BitLocker keys via WAPT?
Sincerely,
Paul
Re: BitLocker IT Encryption
Published: Dec 5, 2023 - 3:33 PM
by jorico
Hello Paul,
I use the tis-audit-bitlocker package, to display the keys in the WAPT console you need to edit the package and add the names of the certificates of the users authorized to read the audit data.
Re: BitLocker IT Encryption
Published: Dec 8, 2023 - 1:10 PM
by PaulSLA
Thank you for your reply.
I'm not sure I understand what you mean by "user certificate names." Isn't that managed directly through the WAPT console? A bit like LAPS password encryption in WAPT?
Regards,
Re: BitLocker IT Encryption
Published: Dec 8, 2023 - 2:08 PM
by jorico
Hello Paul,
these are the certificates (linked to your WAPT administrators) that allow you to sign WAPT packages.
Re: BitLocker IT Encryption
Published: Dec 8, 2023 - 3:27 PM
by dcardon
Hello
@PaulSLA, regarding the LAPS by WAPT part, it uses the certificates defined in the agent, so there's no need to add any. However, the BitLocker package was written to explicitly request certificates. It's true that we could also reuse the certificates already deployed.
Regards,
Denis
Re: BitLocker IT Encryption
Published: Dec 11, 2023 - 08:46
by PaulSLA
Good morning,
If I understand your explanations and the package code correctly, I simply need to enter the name of the certificate that can see the audit results:
If my certificate is wapt-crt.crt in C:\wapt\ssl, I must do the following:
Code: Select all
target_encryption_method = 7
allow_swap_encryption_method = False # Not implemented yet
decrypt_cert_list = wapt-crt
def install():
# Adding certificates allowed to decrypt in WAPT
for cert in decrypt_cert_list:
cert_path = makepath(WAPT.wapt_base_dir, "ssl", cert)
if not isfile(cert_path):
print("Copying: %s" % cert_path)
filecopyto(cert, cert_path)
And will the script automatically retrieve the certificate for it to function? If I have multiple certificates, should I use commas? Semicolons?
For the BitLocker enable part, I'm getting an error regarding BitLocker Key Protector. Do I need to force the installation of the package on all affected machines, which will remove the BitLocker Key Protector, and then perform a standard installation? Should that work?
Isn't there a way to do this automatically?
Sincerely,
Re: BitLocker IT Encryption
Published: Dec 29, 2023 - 1:17 PM
by PaulSLA
Good morning,
After several attempts on my end, I now get an error during package installation:
Here are the logs:
Code: Select all
"
Traceback (most recent call last):
File "C:\Program Files (x86)\wapt\common.py", line 4010, in install_wapt
setup = import_setup(setup_filename)
File "C:\Program Files (x86)\wapt\waptutils.py", line 1525, in import_setup
py_mod = imp.load_source(modulename, setupfilename)
File "imp.py", line 171, in load_source
File "<frozen importlib._bootstrap>", line 702, in _load
File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 843, in exec_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
File "C:\WINDOWS\TEMP\wapt_3l1xqgx\setup.py", line 73, in <module>
NameError: name 'wapt' is not defined
NameError: name 'wapt' is not defined
"
I simply added the certificate name after "decrypt_cert_list" in the form decrypt_cert_list = certificate_name
Does anyone have any idea what the error might be, unless the package is no longer supported?
Thanks in advance,
Sincerely,
Paul
Re: BitLocker IT Encryption
Published: January 3, 2024 - 10:36 AM
by dcardon
Hi Paul,
in Python, the hyphen "-" is interpreted as the subtraction operator. So `wapt-crt` is parsed as `wapt - crt` (the variable `wapt` minus the variable `crt`), hence the message that the variable `wapt` doesn't exist.
There must be some missing quotation marks somewhere,
Denis.
Re: BitLocker IT Encryption
Published: January 3, 2024 - 5:18 PM
by PaulSLA
Good morning,
Thank you, that was it, I found it yesterday. I added quotation marks around the certificate and everything is OK with the audit.
Now we have the BitLocker activation part left. We tried using the package from the store, but it's impossible to get it to work. It's always the same thing:
First installation:
Code: Select all
OK: This computer BIOS boot in UEFI mode
OK: TPM chip found on this system
OK: TPM chip ready
Encrypting: C: drive with BitLocker encryption method: XtsAes256
Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector
Traceback (most recent call last):
File "C:\Program Files (x86)\wapt\common.py", line 4083, in install_wapt
exitstatus = setup.install()
File "C:\WINDOWS\TEMP\waptzpc2fp1z\setup.py", line 118, in install
File "C:\Program Files (x86)\wapt\waptutils.py", line 1892, in error
raise EWaptSetupException('Fatal error : %s' % reason)
waptutils.EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.
EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.
So I installed it using the force option, and the result was:
Code: Select all
OK: This computer BIOS boot in UEFI mode
OK: TPM chip found on this system
OK: TPM chip ready
Encrypting: C: drive with BitLocker encryption method: XtsAes256
Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector
Remove-BitlockerKeyProtector -MountPoint C: -KeyProtectorId "{92D79314-13A0-475E-B8FC-4195EAEDF1E0}"
Traceback (most recent call last):
File "C:\Program Files (x86)\wapt\common.py", line 4083, in install_wapt
exitstatus = setup.install()
File "C:\WINDOWS\TEMP\wapt_03ore3e\setup.py", line 116, in install
File "C:\Program Files (x86)\wapt\waptutils.py", line 1892, in error
raise EWaptSetupException('Fatal error : %s' % reason)
waptutils.EWaptSetupException: Fatal error : BitlockerKeyProtector have been removed on C: please reinstall this package.
EWaptSetupException: Fatal error : BitlockerKeyProtector have been removed on C: please reinstall this package.
That seems fine. So I reinstalled it a second time without the force option, and the result was:
Code: Select all
OK: This computer BIOS boot in UEFI mode
OK: TPM chip found on this system
OK: TPM chip ready
Encrypting: C: drive with BitLocker encryption method: XtsAes256
Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector
Traceback (most recent call last):
File "C:\Program Files (x86)\wapt\common.py", line 4083, in install_wapt
exitstatus = setup.install()
File "C:\WINDOWS\TEMP\waptraxa1eek\setup.py", line 118, in install
File "C:\Program Files (x86)\wapt\waptutils.py", line 1892, in error
raise EWaptSetupException('Fatal error : %s' % reason)
waptutils.EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.
EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.
And the problem keeps looping; we haven't touched that package. Creating our own package using a PowerShell script works, but each time we update the package, it re-encrypts all the PCs and creates a new recovery key. This quickly becomes a mess.
Any ideas? Unless I've missed a configuration step, like with the audit package?
Sincerely,
Paul
Re: BitLocker IT Encryption
Published: January 3, 2024 - 5:55 PM
by jpele
Good morning,
Could you please type the indicated PowerShell command on an affected machine?
Code: Select all
Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector
You should know more about the sticking point.
There's a good chance it's a GPO that's blocking it.
Sincerely,
Jimmy