Control BitLocker drives on your Smartphone

Nowadays it is strongly recommended to use an encryption software to protect your hard disk drives against unauthorized access.

Well to be honest, unauthorized access doesn’t mean that you can really prevent #NSA or #CIA to access your drives. But you can make their jobs at least a bit more challenging ;).

However… I prefer to use Microsoft BitLocker for my entire home network clients, even if Microsoft recently removed “Elephant diffuser” from BitLocker.
BitLocker provides a lot of nicely WMI methods which enables you to manage the entire BitLocker workflow.

In my case, I was just missing the opportunity to manage my home clients drives via a simple Android Smartphone.

So, what would be one of the best approaches to do so?
Obviously something simple but still secure in usage.
I’ve decided to develop a ASP.NET based REST API with user authentication and authorization by using OAuth 2.0.

So what do we need?

Infrastructure Devices:

  • Android Smartphone (or another Client)
  • Microsoft Windows Clients with BitLocker encrypted hard disk drives
  • At least one Microsoft Windows Server
  • Router

Software:

  • IIS 7.5 or newer (hosted on the MS Windows Server)
  • MSSQL Database (hosted on the MS Windows Server or standalone DB Server)
    To store user information such as login credentials
  • ASP.NET REST API / OAuth 2.0 application
    To manage the requests of the Smartphone and to execute actions
  • SSL certificate
    To secure the communication channel between Smartphone and IIS Server
  • Android Application
    To take actions (e.g. Lock Drive)

OVERVIEW

The implementation is not that complicated. First of all, you’ve to make sure, that you can register users, which should be able to receive an OAuth Token to control the clients.

In a standard ASP.NET 4.0 MVC Web Application with WebAPI, you have already a lot of predefined classes available.
The first controller class we should modify, would be the “AccountController.cs” to handle registration events.
Afterwards, customizing the login methods, to work with the OAuth protocol, as well as the WMI RPC methods to control BitLocker.

I don’t want to explain in deep how to setup an ASP.NET application.
That’s why I would like to refer to the official asp.net website:

Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2

(This is also the sample project my project is based on – with a few modifications).

Let’s come directly to the important part.
1. How to control BitLocker of our clients?

1. Create a new Controller or modify the existing values controller to match our needs.
1.1 Control Bitlocker – Get Drives (HTTP GET)

1.2. Control BitLocker – Lock Drive (HTTP POST)

Of course you can also implement more WMI methods e.g to encrypt, decrypt, unlock, … , your drives. Feel free to do so!

After we have completed the development of the ASP.NET application, we’ve to deploy the app to our Server.
In my case it is an IIS 7.5 Server.
By default you’ve also to change the identity of the application pool.
Create a new user, without(!) administrative privileges and grant the new user permission to execute WMI methods in the Namespace “root\cimv2\security” by using wmimgmt.msc.
Normally only administrators have access to execute methods within the security namespace.
But we really don’t want to run the application pool with administrative privileges due to security concerns!

That’s all =).

Ok, it’s not… You also have to create a REST API consuming client -> e.g. an Android application to call our service methods.
As an inspiration, you can just see my Android app below.
It is able to lock and unlock all the drives of my clients after a successfull authentication.

One last remark:

Please, really ensure, that you have used a strong authentication and authorization mechanism of your ASP.NET application, to avoid unauthorized access!

Post author

I'm an executive M.Sc. with over 10 years experience in software development and engineering.

Leave a Reply