I’m Mauro, a long-time Windows and linux. I recently set up a dual boot configuration on my Intel NUC 12 PRO (i5 1240P, 16GB RAM). The system has two SSDs: a 500GB NVMe drive dedicated to Windows 11 Pro (with BitLocker and Secure Boot enabled) and a 512GB SATA 3 SSD.
Here’s the partitioning scheme:
nvme0n1 (500GB NVMe):
EFI partition
Windows Reserved partition
C: partition (encrypted with BitLocker)
sda (512GB SATA 3):
sda1: NTFS partition (D: for data)
Free space for Fedora 42 installation
During the Fedora 42 installation, I created the following partitions on the free space of the SATA SSD:
If I leave the D: partition (sda1) unencrypted (NTFS), everything works fine. However, if I enable BitLocker on the D: partition (which is on the same physical drive as my Fedora installation), upon rebooting into Windows, it always asks for the BitLocker recovery key. It doesn’t seem to be utilizing the TPM 2.0 for automatic unlocking of this specific partition.
Interestingly, when I enable BitLocker on D:, the recovery key it asks for is the one associated with my C: drive (the Windows system drive on the NVMe SSD). This suggests some kind of link or confusion in how Windows is managing the BitLocker keys for the data partition on the Fedora drive.
My Question:
Is there a known solution or configuration that would allow me to encrypt the D: partition with BitLocker while dual-booting with Fedora 42 (installed on the same physical drive) without being prompted for the recovery key on every Windows boot? I would expect the TPM 2.0 to handle the unlocking, as it does for my C: drive.
Any insights or suggestions would be greatly appreciated. Thank you in advance for your help!
AFAIK the TPM does not store the key for a data drive. Only the boot drives.
The key for the data drive is stored on the boot drive.
you can list the protectors for sda1 with manage-bde (Windows)
Let’s say you unlock the boot drive with the recovery key and don’t change enryption on sda1 and reboot, does the windows boot loader ask again for the recovery key?
Hi @anotheruser
Windows bitlocker is managed by TPM2. If I don’t lock sda1 (D: ntfs) bitlocker unlock is tpm2. When I enable bitlocker in D: (sda1) in Windows it asks for unlock key of C: Windows
Fedora 42 is unlocked with passphrase.
Thanks for your help
I did a Windows 11 Pro restore on May 29th for the usual problems I have 2/3 times a year with Windows update. Taking advantage of the event (which takes 5/6 hours) I unlocked bitlocker in all partitions, resized the sata3 and installed the dual boot with Fedora 42 mate. Fedora 42 is proving to be exceptional in bare metal. I have a 16 year old laptop (with recent ssd) that, despite the 4gb of ram, works fine with Fedora 42 mate and luks2.
Hi @anotheruser
I immediately tried this option.
In uefi the sequence is the same: 1) Fedora 2) Windows and the bitlocker block happens anyway. With the disadvantage that I no longer have the grub menu to choose another kernel
Thanks
If I understand correctly, booting through grub2 would change the tpm calculations. The tpm check every little detail of the boot process from power on to Windows is running. If every details is exactly right, the bitlocked file systems will be unlocked; otherwise not. With grub2 in between, you change the boot process and tpm will stay locked.
Hi @vekruse
My PC is a work PC and I’ve gone crazy with bitlocker. At the moment everything works perfectly. The tpm2 unlocks Windows 11 pro in C: but if I try to add the other partition, D: the system for some reason asks for the unlock key. I have Windows that correctly unlocks C: and I access the 2nd partition D: ntfs. Obviously with the unencrypted partition Fedora 42 lets me access the D: ntfs. (sda1)
I’m seriously thinking of encrypting specific folders with a package compatible with win and Fedora thus having the partition accessible from both os
Do you really require two separate efi partitions?
My guess is that you could maybe prevent this by moving the grub fedora directory from sda to the efi partiion on nvme0n1p1.
Boot medium would be nvme0n1 for both OS and it would probably not trigger the recovery screen.
Hi @anotheruser
In another post, I don’t remember the link, it suggested using a specific efi for Fedora. I remember the expression of putting 2 chefs in a single kitchen. I followed the suggestion and actually everything is perfect except for this incident. I have no experience with efi and dual boot. I just need to make things work…
At the moment, after doing many experiments on the day of installation I am in 2 systems, Fedora and Windows, stable. Would it have been better? I am too inexperienced to answer. But if you tell me so I could try in the future…
Thank you very much
Maybe I made a mistake when I installed it with secure boot enabled? Did I make a mistake when I created the second EFI? Did I make a mistake when I disabled BitLocker? Honestly, I am too inexperienced. However, I am aware of my limitations. On 29 May, I was exasperated by the Windows 11 Pro lockout (it took 5–6 hours to restore online from Windows Update). My backups to external disks and SATA3 were not working. Unfortunately, this happens to me two or three times a year. Windows reports a reliability index of 10 (the maximum score), and then the system crashes during the update process. I finished the restore, deleted the backup partition, and decided to install Fedora 42 MATE.
For installing Fedora, it doesn’t make any difference. The install procedure would install the proper UEFI entry for you, and if it didn’t, that would be a bug.
As for Bitlocker, you would need Microsoft expertise.
Hello everyone,
My goal was to set up a second encrypted partition. After thorough testing, I’m now almost certain that the issue was caused by BitLocker being applied to the only NTFS partition (sda1) on the SATA3 SSD dedicated to Linux.
Here’s what I did to solve the problem: Resized the Windows C: partition and moved the D: NTFS partition to the NVMe drive. Reset TPM 2.0 and then applied BitLocker encryption to both C: and D:. The sda1 partition (the first on the disk) will now be used for a fresh Fedora installation, dedicating the entire SSD to Linux.
As an alternative, I could set up a shared partition at the end of the disk, accessible by both OSes, with manual encryption for security.
Resized the Windows C: partition and moved the D: NTFS partition to the NVMe drive.