Yellowkey - a Bitlocker bypass method
Posted by DaveTheAllrighty@reddit | sysadmin | View on Reddit | 86 comments
So yellowkey was released yesterday on Github and not gonna lie, this thing scares me. A full encryption bypass method that basically makes Bitlocker obsolete. My question is: are there any ways of mitigating this without spending too much?
Tetrapack79@reddit
You can disable WinRE to mitigate this (reagentc /disable), but of course this also restricts the possibilities to troubleshoot or repair problems with the operating system.
DaveTheAllrighty@reddit (OP)
I think that's the only reliable solution as of now. Pin doesn't work and apparently, TPM + PIN are also exploitable by the yellowkey. I'll play with it tomorrow to see the possibilities myself
m1m1n0@reddit
It's dangerous to make things up when making security decisions. TPM+PIN is not exploitable. TPM won't give out encryption key without getting a proper PIN, and it will count unsuccessful attempts and lock.
So yes, TPM+PIN is the proper solution.
glotzerhotze@reddit
Did you miss the point where people told you that an exploit exists for TPM+PIN but it was not released (yet)?
If so, I can understand your „proper solution“ joke.
KoeKk@reddit
Maybe wait and see if the TPM+PIN exploit is real?
goshin2568@reddit
The dude has dropped like 5 pretty severe windows zero days in the last month. I don't think "pray that he's lying about this one part" is a strategy I would rely on.
KoeKk@reddit
Sure, but we can’t rely on hearsay otherwise, nothing else to do than wait and see
itishowitisanditbad@reddit
You could assume that the person who keeps delivering will deliver once again though and plan otherwise.
There literally is things to do other than that.
Its also not hearsay. I have no idea why you used that word here. Its not hearsay whatsoever?
Who/what do you think is hearsay?
The person who keeps delivering said it for themselves. Nobody is saying it ONLY on their 3rd part behalf or stating it was said without proof.
I don't think you know what hearsay is, or really understand what is going on tbh
KoeKk@reddit
Hearsay: researcher says:I have X without delivering proof; Above are people saying ‘X exists’.
My point is: there is nothing know about the exploit PoC without TPM pin, so we cannot take any definitive action preventing the unknown. Better to focus on preventing the known issue. Don’t get me wrong, this issue is real, but also requires physical access and laptops being stolen.
itishowitisanditbad@reddit
Again.
The guy has said he has X and delivered multiple times.
This is simply a small addition to what he already delivered in the exact same vein.
Common sense really overrules your "well its not 100% proven so we're going to pretend thats fake"
Your logic is just so.... obtusely baffling. Like worryingly so.
KoeKk@reddit
The OP asks for ‘what can I do’. Please tell us because you act like you have answers.
I think you are nitpicking and focusing on ‘it must be true and just as bad’ while you know nothing about it, because nothing has been made public. 50/50 chance that the attack follows the same pattern and can be lessend/mitigated with the same steps; or not and all bets are off, it can be very specific/edge case (ie: fake/overblown), or just as broad and easy as this. You just don’t know but like to go on worst case scenario which you translate to ‘common sense’.
NerdyNThick@reddit
You should take your own advice, because you're wrong.
https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html
Quote the discoverer of YellowKey:
WilfredGrundlesnatch@reddit
https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html
Turtle_Online@reddit
Does this also remove the ability to remotely wipe a Windows device with MDM?
Mantazy@reddit
Yes for intune as it relies on the recovery environment to function.
simask234@reddit
AFAIK it is only effective if you are using BL in TPM-only mode. If you have a PIN set up, it won't be able to bypass it
disclosure5@reddit
PIN is a lot less practical in reality than people suggest. If you can't get users to remember their passwords and have to invest in phone support to reset it for them, just picture what's involved when a Bitlocker PIN is a totally different thing to their Entra password except now resetting it is much less simple.
Heck just having people have to type something before a laptop starts booting will annoy people away from it.
WayneH_nz@reddit
And then, on multi use computers, 5 nurses sharing a desktop, pins are a pain in the arse. On reboot, the pins are gone
disclosure5@reddit
Oh hey, this man knows healthcare I see.
m1m1n0@reddit
Think of a credit card pin - banks consider it sufficient to protect money, to an extent.
A 6-digit pin on BitLocker is sufficient to mitigate all bruteforce attacks. TPM would lock soon enough.
disclosure5@reddit
Nothing I said was an argument about the strength of a PIN if you can make it work.
The PIN on your card belongs to you. The PIN on a TPM belongs to the machine and when users swap notebooks they need to swap PINs. When users forget PINs they can't just call and get a new one. It's a nightmare outside of the tech industry.
Sleepytitan@reddit
Having seen Bitlocker PIN being used, I can tell you what happens.
Users tape a note with the PIN to the laptop.
IdealParking4462@reddit
Not to mention PIN entry often doesn't work with docks/etc.
Heribertium@reddit
Also remote maintenance is a royal PITA with all forms of pre-boot passwords. Now I can tell a user to leave their device on after work, install updates, reboot etc.
NerdyNThick@reddit
Incorrect.
https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html
Quote the discoverer of YellowKey:
simask234@reddit
So he has an exploit but he chooses not to disclose it...
Sgt_Splattery_Pants@reddit
allegedly the variant exists to affect TPM-Pin protected machines, the author is just refusing to release it.
neoKushan@reddit
Oh cool, so that guy that accidentally pushed a group policy to make all his machines immediately reboot might actually have a way out.
nv1t@reddit
activate pin for bitlocker. bitlocker is not obsolete...it was always broken, when you autodecrypt on boot.
that's what every security person tries to tell since the beginning of bitlocker.
DaveTheAllrighty@reddit (OP)
I've read that the guy behind the yellowkey has the pin bypass in the works as well
nv1t@reddit
where did you read this?
because there are multiple methods of tpm based bypass published during last communication Congress from MS Research themselves. funnily enough in the WinRE boot. soooo...this is just another one on the list. for me the setup is scary. it really looks like a backdoor.
Sgt_Splattery_Pants@reddit
https://deadeclipse666.blogspot.com/
_3470@reddit
damn this guy really hates microsoft
BlackV@reddit
Gawd they're a raving lunatic
nv1t@reddit
ok....dann ziehe ich es zurück, dass alles fein ist. wobei pin immer ne bessere Alternative ist.
mal sehen wie lange es dauert bis jemand die andere Variante gefunden hat: "Ihr wollt meinen Schatz? Den könnt ihr haben! Sucht ihn doch, irgendwo hab ich den größten Schatz der Welt versteckt!"
BlackV@reddit
Gawd they're a racing lunatic
Idenwen@reddit
I never understood autodecrypt. If someone steals the device they can just boot into it.
And if the disk is replaced it geht's shredded anyway so no extra security there too.
When I used bitlocker (work laptop when travelling) it always was in no tpm + passphrase mode.
nv1t@reddit
ideally you have a password set and, based on modifying the disk, you can't log in....sooo...it looks fine on paper, until you find bypasses to get the key (which are plenty of).
Last thing (before the ms research publish last year) was: yeah...tpm can be sniffed, but only if it is a single chip. If the tpm is incorporated, it is not sniffable. ms research published winre bypasses and this was done....now yellow key.
I wonder about the tpm+pin bypass. this would mean, you don't need a pin to get the tpm unlocked, or there is a master key for it ....
IdealParking4462@reddit
Yeah, I'm also confused by the claims by the author that they have also got a successful attack against TPM+PIN.
UninvestedCuriosity@reddit
I think this is great. Always hated bitlocker. Make it obsolete, please.
burundilapp@reddit
Having had to run McAfee Device Encryption across our estate before we updated the so everything had a TPM chip and implemented BitLocker, I prefer BitLocker.
RiceeeChrispies@reddit
Trying to do Windows feature updates with McAfee Drive Encryption made me cry and almost definitely shortened my lifespan.
UninvestedCuriosity@reddit
I was there with the truecrypt and imaging. Disliked that era as well.
KoeKk@reddit
It requires physical access and the ability to reboot into WinRE. Maybe I am wrong but having a BIOS boot pin would make the reboot into WinRE a lot harder (depending on the implementation of the boot pin), right?
smoothvibe@reddit
Yeah, but how will you communicate to your users, that they have to enter a PIN now every time?
Not gonna happen.
KoeKk@reddit
I worked at multiple org’s using boot PIN’s, not really a complicated issue? Do you never communicate with your users?
smoothvibe@reddit
The orgs / IT bosses I worked in/for would never have allowed a boot PIN and why should there one in the first place? Bitlocker and system credentials are enough.
Well... were.
KoeKk@reddit
Then the orgs/IT bosses did not fully understand the risks 🤷♂️. A lot of intrusion methods require a booted OS, if you can prevent the OS from booting it limits the attack surface. Was enough to prevent the specialized dTPM snooping devices from having effect.
WilfredGrundlesnatch@reddit
The entire point of disk encryption is to protect against physical access.
kerubi@reddit
Remind me what is Bitlocker supposed to protect against aside attacks via physical access? ;)
KoeKk@reddit
Any protection mechanism is depending on other mechanisms for complete protection. It is widely known that auto unlock of encrypted drives is a weakness so the point you make is not as strong as you think? :)
ArticleGlad9497@reddit
I was wondering the same thing 🤣
ledow@reddit
That's not the point.
Bitlocker is designed to encrypt the machine.
Mere physical access to the machine should not render your data readable.
If your laptop is stolen, the thief should not be able to read your data... but with this exploit they easily could.
This is pretty serious and urgent, and have huge ramifications for data protection and corporate use of Bitlocker instead of other tools.
It's literally a backdoor into any machine's encrypted drives, that has barely been mentioned by MS or patched even though it's out in the wild.
__dna__@reddit
Depends on the machine iirc. If memory serves a good chunk of older workstations (likely still in comission) store the bios pin in CMOS - so pulling the battery would be sufficient
Even still, if someone has physical access to the machine, all bets are off - more so here thanks to this exploit. Bios passwords are a deterrent not a prevention unfortunately
throwaway0000012132@reddit
This makes laptops allot more vulnerable.
KoeKk@reddit
Yeah storing the boot pin in CMOS is a bad move indeed
Consistent-Milk-5895@reddit
You can just force shut down cycle windows on the bootlogo and it Starts to winRE
KandevDev@reddit
yellowkey relies on cold-boot DMA + a pre-boot tweak to extract bitlocker keys from memory. mitigations that actually work: (1) require TPM+PIN on bitlocker, not TPM-only. PIN is asked before the keys hit memory, so cold-boot does not help. (2) disable kernel DMA protection bypass via the kernel-DMA-protection policy in group policy. (3) enable bitlocker network unlock via TPM+network only, which keeps keys off the physical device. yellowkey scares everyone but the mitigations have been known for the underlying attack class for years.
ifq29311@reddit
it not a bitlocker bypass, its unauthorized TPM unlock
it will not work when you put the disk in another computer
it will not work when you have a TPM + PIN protector set up (guy who put the yellowkey claim this is possible but i really doubt it - best to my knowledge the TPM key is encrypted with PIN so no bypass possible)
JDupster@reddit
The guy released multiple unknown zero day exploits. Why would you doubt his own claim that TPM+Pin does not protect you against this attack as well?
ifq29311@reddit
because the guy is an arrogant asshole who does not give a fuck about properly disclosing this to MS
also if i understand this correctly, you need a proper unlock to happen in recovery environment before further unauthorized unlocks can happen. you'd need PIN for that first unlock.
https://x.com/weezerOSINT/status/2054299776267813258
also my initial mistake - its not actually unauthorized TPM unlock (but thats needed for the exploit to be transparent to user)
NerdyNThick@reddit
Ah, found the MS Security AI responsible for ignoring this "arrogant asshole".
PJBthefirst@reddit
I haven't seen him exaggerating his abilities, and being a meanie doesn't disqualify someone from possessing a zero-day. Is there anything else?
ifq29311@reddit
how about the rest of my post?
Matamune117@reddit
Implement bitlocker pin :)
The uploaded github version does not work on pin enabled devices. Additionally You'll have protection from TPM Sniffing on some MOBOs.
NerdyNThick@reddit
https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html
Quote the discoverer of YellowKey:
No, a PIN is not enough.
IdealParking4462@reddit
There are claims by the author they have also defeated TPM+PIN but did not publish.
Matamune117@reddit
Oh, Good to know ;) Still this is the best We can do for now.
Looking how AI availability makes understanding and writing exploits easier, I belive that companies should focus more on BCP planning, and internal audits.
Like, OK If Your device is stolen or lost than someone can extract Your company data.
But just by reading on this year's cybersecurity breaches most damage is done because after infiltration, the attackers can easly move in network by basic laterall movement and gain access to systems because still...
tomtrix97@reddit
+1 for this
Bitlocker without startup pin was useless before Yellowkey already.
dinominant@reddit
We virtualize our servers to protect them from adversaries, and from neglegent vendores, and from disasterous software updates.
Maybe we should virtualize all software on all endpoints and use properly designed open and verifiable cryptographic systems.
Poeple keep outsourcing to Microsoft and this repeat systemic vulnerability is an old tired story now.
tldr: broadcom, oracle, edge in my taskbar again... tldr: that Debian server has been stable for 15 years, no surprises, and doing it's job.
TheLexoPlexx@reddit
Is this different from the 11 other methods?
kerubi@reddit
Some orgs already disable recovery environment, as that access via RE allows end users do things the orgs do not want them to be able to do. Makes, surprise-surprise, recovering a non-booting device a bit more difficult, though :)
Hatred_grows@reddit
Does it affect "bitlocker to go"?
IdealParking4462@reddit
I can't see how, it seems to rely on the TPM.
RaZoX144@reddit
Lowkey big for data recovery and the odd personal-use customer
Mantazy@reddit
And also yesterday yellowkey was posted on this sub: https://reddit.com/r/sysadmin/comments/1tbwrm3/yellowkey_bitlocker_bypass/ - Why make a new post about essentially the same?
InflateMyProstate@reddit
We have BitLocker on all devices but force a passphrase to unlock on boot up. If I’m reading this correctly, this strictly affects TPM-only mode? So passphrase or PIN on boot up is not vulnerable to this?
Magic_Neil@reddit
Yell at users really loud to not lose their laptops for a few months?
DaveTheAllrighty@reddit (OP)
What about laptops that were already lost?
Ur-Best-Friend@reddit
Yell at them even more loudly for that.
g-nice4liief@reddit
Hide your kids, hide your wife.
Inquisitive_idiot@reddit
hit the gym, buy a pack
got a light? 🚬
Ice-Cream-Poop@reddit
And your laptop.
Awkward-Candle-4977@reddit
Microsoft should embrace opal hardware encryption
sublimeprince32@reddit
Microsoft must have built this in for the government, like we all suspected at the beginning anyhow... someone just found the method.
Rainmaker526@reddit
Time for a Linux desktop.
Or a Mac, if you've got too much money.