fix(bitlocker): add recovery-password protector + save key (TPM+PIN-only was unrecoverable) #12

Merged

SilverLABS merged 1 commits from fix/bitlocker-recovery-key into main

2026-06-09 20:24:36 +00:00

Author	SHA1	Message	Date
sysadmin	3f1ea6aa63	fix(bitlocker): add recovery-password protector + save the key (was unrecoverable) All checks were successful Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 6m17s Details VM e2e: full wizard ran end-to-end and enrolled TPM+PIN, but BitLockerService only created TPM+PIN with NO recovery protector — a forgotten/mistyped PIN bricks the drive (hit exactly that on the VM). Add a RecoveryPassword protector and save the 48-digit key to ProgramData AND the unencrypted EFI System Partition (readable even when the OS volume is locked, e.g. for offline recovery/verification). PRODUCT TODO (follow-up): escrow the recovery key to SilverSync + display it in the wizard's Done step so the end-user records it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-09 20:15:49 +01:00

Author

SHA1

Message

Date

sysadmin

3f1ea6aa63

fix(bitlocker): add recovery-password protector + save the key (was unrecoverable)

Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 6m17s

Details

VM e2e: full wizard ran end-to-end and enrolled TPM+PIN, but BitLockerService only
created TPM+PIN with NO recovery protector — a forgotten/mistyped PIN bricks the
drive (hit exactly that on the VM). Add a RecoveryPassword protector and save the
48-digit key to ProgramData AND the unencrypted EFI System Partition (readable even
when the OS volume is locked, e.g. for offline recovery/verification).

PRODUCT TODO (follow-up): escrow the recovery key to SilverSync + display it in the
wizard's Done step so the end-user records it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-09 20:15:49 +01:00

fix(bitlocker): add recovery-password protector + save key (TPM+PIN-only was unrecoverable) #12

1 Commits