[Solved] Secure Erase on Disposal for BitLocker Encrypted Clients

PBA Secure Erase and Remote Wipe for Microsoft BitLocker

Did you ever try do dispose or resale a BitLocker encrypted client? You will need external erase / disposal tools, boot from a USB stick and invest a lot of time in clearing every single device that should leave.

But it could be so easy, as all data sectors are already strongly encrypted. You just need to dispose all BitLocker protectors (the internal keys to access the volume encryption keys) at once.

Luckily the command line tool manage-bde.exe can be used to delete protectors. But unfortunately, once you reach the last protector the tool will resist and not allow you to delete the last protector. The reason is clear, as if you do your client will not boot any more… But that’s exactly what we want!!!

Check the protectors on your Windows partition:

PS C:\> manage-bde -protectors -delete -type password C:

Delete a password protector from your Windows partition:

PS C:\> manage-bde -protectors -delete -password C:

Add a password protector from your Windows partition. After the command you are prompted for a password:

PS C:\> manage-bde -protectors -add -password C:

For testing I recommend to create a virtual partition with a few GB and activate BitLocker on this virtual partition to play with the manage-bde.exe command line tool.

Secure Erase for Microsoft BitLocker – Integrated Function in Secure Disk for BitLocker

To support enterprises and their client lifecycle management, Secure Disk for Enterprise includes a remote wipe function to securely erase all encryption keys on an Microsoft BitLocker encrypted client. Moreover, a central stored compliance report will let you identify wiped clients in case of an audit.

Secure Disk for BitLocker is a strong tool to fulfill EU-GDPR requirements and gives great compliance possibilities to prevent data breache notifications.

Leave a Reply

Your email address will not be published.