SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(bitlocker): add recovery-password protector + save key (TPM+PIN-only was unrecoverable) #12

Merged
SilverLABS merged 1 commits from fix/bitlocker-recovery-key into main 2026-06-09 20:24:36 +00:00
Conversation 0 Commits 1 Files Changed 1 +10
SilverLABS commented 2026-06-09 19:15:55 +00:00
Owner
Copy Link

VM e2e milestone + a real product fix.

Milestone: with the Explorer pivot (#11), the full wizard ran end-to-end — rendered, flavour → account → prefs → apply, enrolled BitLocker TPM+PIN, rebooted to the pre-boot PIN prompt. 🎉

Bug it exposed: BitLockerService enrolled TPM+PIN with no recovery-password protector and removed the TPM-only one — so a forgotten/mistyped PIN leaves the drive unrecoverable. We hit exactly that on the VM (PIN rejected at pre-boot, no way back). On real hardware that's a brick.

Fix: after confirming the TPM+PIN protector, add a RecoveryPassword protector and save the 48-digit key to C:\ProgramData\SilverMetal\bitlocker-recovery.txt and to the unencrypted EFI System Partition (Q:\SilverMetal-Recovery.txt) — the ESP is readable even when the OS volume is BitLocker-locked, so the key is recoverable offline (and lets me verify the enrolled state on the next VM run).

The PIN-capture path itself is verified correct (string → ConvertTo-SecureStringEnable-BitLocker -Pin, named args, no mangling) — the VM pre-boot rejection was an input artifact (masked field over noVNC / OVMF F-key mapping), not a code bug.

Follow-up (product): escrow the recovery key to SilverSync + display it in the wizard's Done step so the end-user records it before finishing. Tracked, not in this PR.

Verified: welcome solution builds, 29/29 tests pass. Next: rebuild → restage → retest the wizard with a deliberate PIN; the recovery key is now the safety net.

🤖 Generated with Claude Code

VM e2e milestone + a real product fix. **Milestone:** with the Explorer pivot (#11), the **full wizard ran end-to-end** — rendered, flavour → account → prefs → apply, **enrolled BitLocker TPM+PIN**, rebooted to the pre-boot PIN prompt. 🎉 **Bug it exposed:** `BitLockerService` enrolled **TPM+PIN with no recovery-password protector** and removed the TPM-only one — so a forgotten/mistyped PIN leaves the drive **unrecoverable**. We hit exactly that on the VM (PIN rejected at pre-boot, no way back). On real hardware that's a brick. **Fix:** after confirming the TPM+PIN protector, add a `RecoveryPassword` protector and save the 48-digit key to `C:\ProgramData\SilverMetal\bitlocker-recovery.txt` **and** to the **unencrypted EFI System Partition** (`Q:\SilverMetal-Recovery.txt`) — the ESP is readable even when the OS volume is BitLocker-locked, so the key is recoverable offline (and lets me verify the enrolled state on the next VM run). The PIN-capture path itself is verified correct (string → `ConvertTo-SecureString` → `Enable-BitLocker -Pin`, named args, no mangling) — the VM pre-boot rejection was an input artifact (masked field over noVNC / OVMF F-key mapping), not a code bug. **Follow-up (product):** escrow the recovery key to SilverSync + **display it in the wizard's Done step** so the end-user records it before finishing. Tracked, not in this PR. Verified: welcome solution builds, **29/29** tests pass. Next: rebuild → restage → retest the wizard with a deliberate PIN; the recovery key is now the safety net. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
SilverLABS added 1 commit 2026-06-09 19:15:56 +00:00
fix(bitlocker): add recovery-password protector + save the key (was unrecoverable)
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 6m17s
Details
3f1ea6aa63 
VM e2e: full wizard ran end-to-end and enrolled TPM+PIN, but BitLockerService only
created TPM+PIN with NO recovery protector — a forgotten/mistyped PIN bricks the
drive (hit exactly that on the VM). Add a RecoveryPassword protector and save the
48-digit key to ProgramData AND the unencrypted EFI System Partition (readable even
when the OS volume is locked, e.g. for offline recovery/verification).

PRODUCT TODO (follow-up): escrow the recovery key to SilverSync + display it in the
wizard's Done step so the end-user records it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS merged commit 66ab2e1aed into main 2026-06-09 20:24:36 +00:00
SilverLABS deleted branch fix/bitlocker-recovery-key 2026-06-09 20:24:36 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
SilverLABS
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SilverLABS/SilverMetal#12
Delete Branch "fix/bitlocker-recovery-key"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?