Control BitLocker drives on your Smartphone

Nowadays it is strongly recommended to use an encryption software to protect your hard disk drives against unauthorized access.

Well to be honest, unauthorized access doesn’t mean that you can really prevent #NSA or #CIA to access your drives. But that is also not our intend.

I prefer to use Microsoft BitLocker for my entire home network clients, even if Microsoft recently removed “Elephant diffuser” from BitLocker.
BitLocker provides a lot of nicely WMI methods which enables you to manage the entire BitLocker workflow.

In my case, I was just missing the opportunity to manage my home clients drives via a simple Android Smartphone.

So, what would be one of the best approaches to do so?
Obviously something simple – but still secure.
I’ve decided to develop a ASP.NET based REST API with user authentication and authorization by using OAuth 2.0.

So what do we need?

Infrastructure Devices:

  • Android Smartphone (or another Client)
  • Microsoft Windows Clients with BitLocker encrypted hard disk drives
  • At least one Microsoft Windows Server
  • Router


  • IIS 7.5 or newer (hosted on the MS Windows Server)
  • MSSQL Database (hosted on the MS Windows Server or standalone DB Server)
    To store user information such as login credentials
  • ASP.NET REST API / OAuth 2.0 application
    To manage the requests of the Smartphone and to execute actions
  • SSL certificate
    To secure the communication channel between Smartphone and IIS Server
  • Android Application
    To take actions (e.g. Lock Drive)


The implementation is not that complicated. First of all, you’ve to make sure, that you can register users, which should be able to receive an OAuth Bearer Token for further request purposes.

In a standard ASP.NET 4.0 MVC Web Application with WebAPI, you have already a lot of predefined classes available.
The first controller class we modify, is the “AccountController.cs” in order to handle registration events.
Afterwards, customizing the login methods, to work with the OAuth 2 protocol, as well as modify the WMI RPC methods to control BitLocker.

I don’t want to explain in deep how to setup an ASP.NET application.
That’s why I would like to refer to the official website:

Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2


(This is also the sample project my project is based on – with a few modifications).

Let’s come directly to the important part.
1. How to control BitLocker of our clients?

1. Create a new Controller or modify the existing values controller to match our needs.
1.1 Control Bitlocker – Get Drives (HTTP GET)

1.2. Control BitLocker – Lock Drive (HTTP POST)

Of course you can also use more WMI methods e.g to encrypt, decrypt, unlock, … , your drives. Feel free to do so!

After we have done the development of the ASP.NET application, we’ve to deploy the app to our Server.
In my case it is a Windows Server running IIS 7.5 Server.

Create a new user, without(!) administrative privileges and grant the new user permission to execute WMI methods in the Namespace “root\cimv2\security” by using wmimgmt.msc.
Usually only administrators have access to execute methods within the security namespace.
But we really don’t want to run the application pool with administrative privileges due to security concerns!

That’s all =).

Ok, it’s not… You also have to create a REST API consuming client -> e.g. an Android application to call our service methods.
As an inspiration, I added some screenshots of my Android app below.
The app is able to lock and unlock all drives of my clients after a successfull authentication.

One more remark:

Please, really ensure, that you have used a strong authentication and authorization mechanism of your ASP.NET application, to avoid unauthorized access!

Post author

I'm an executive M.Sc. with over 12 years experience in cloud architecture / software development and software engineering.

Leave a Reply