Skip to content

akshayku/PasskeyBitLocker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.vscode
.vscode
 
 
PasskeyBitLocker
PasskeyBitLocker
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
PasskeyBitLocker.slnx
PasskeyBitLocker.slnx
 
 
README.md
README.md
 
 

Repository files navigation

PasskeyBitLocker

A Windows command-line tool that uses WebAuthn passkeys with the PRF (Pseudo-Random Function) extension to protect BitLocker-encrypted drives. This enables passwordless, phishing-resistant authentication for unlocking BitLocker volumes using FIDO2 security keys or Android/iOS phones.

Features

  • Passkey-based BitLocker protection - Use FIDO2 security keys or platform authenticators instead of passwords
  • PRF extension support - Derives cryptographic keys from passkey authentication for BitLocker external key protectors
  • Interactive and command-line modes - Run interactively for guided operation or use CLI for scripting
  • Multiple credential hints - Support for security keys and hybrid (cross-device) authentication

Requirements

  • Windows 10/11 with BitLocker support
  • Administrator privileges (required for BitLocker operations)
  • A FIDO2 security key with PRF extension support, or Android/iOS
  • Visual Studio 2022 or later (for building)

Building

Open PasskeyBitLocker.slnx in Visual Studio and build for x64 Debug or Release configuration.

Or build from command line:

MSBuild.exe PasskeyBitLocker.slnx /p:Configuration=Release /p:Platform=x64

Usage

Interactive Mode

Run without arguments to enter interactive mode:

PasskeyBitLocker.exe

Interactive mode provides a menu-driven interface:

  1. Show volume info
  2. Register passkey
  3. Unlock drive
  4. Lock drive
  5. Remove external key protector
  6. Change drive
  7. Exit

Command-Line Mode

Usage: PasskeyBitLocker.exe <command> [options]

Commands:
  --info <drive>           Show volume information (e.g., --info D:)
  --register <drive>       Register a passkey for the drive (e.g., --register D:)
  --unlock <drive>         Unlock the drive with passkey (e.g., --unlock D:)
  --lock <drive>           Lock the encrypted drive (e.g., --lock D:)
  --remove <drive> <id>    Remove specific external key protector by ID
  --help                   Show help message

Options:
  --verbose, -v            Enable verbose logging
  --hint <type>            WebAuthn credential hint: 'security-key' (default) or 'hybrid'

Examples

# Show drive info and protector IDs
PasskeyBitLocker.exe --info D:

# Register a new passkey protector
PasskeyBitLocker.exe --register D:

# Register using a phone/tablet as authenticator
PasskeyBitLocker.exe --register D: --hint hybrid

# Unlock a drive
PasskeyBitLocker.exe --unlock D:

# Lock a drive
PasskeyBitLocker.exe --lock D:

# Remove a specific protector (use --info to get the ID)
PasskeyBitLocker.exe --remove D: "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"

# Enable verbose output for troubleshooting
PasskeyBitLocker.exe --unlock D: -v

How It Works

  1. Registration: Creates a WebAuthn credential with PRF extension enabled. The PRF output is used to derive a 256-bit key that becomes a BitLocker external key protector.

  2. Unlock: Authenticates with the registered passkey, retrieves the same PRF-derived key, and uses it to unlock the BitLocker volume.

  3. Security: The actual unlock key never leaves the security key - only the PRF-derived value is used, which requires physical presence and user verification on the authenticator.

About

BitLocker Encrypt/Lock/Unlock Drives Using Passkey

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1-beta Latest
Jan 25, 2026

Packages

 
 
 

Contributors

Languages