Pekka1959
1 Copper

Is it possible to boot from USB with the Secure boot enabled

One of my students has a Dell Vostro 15 with Windows 10 Pro. Bitlocker is enabled. In Finland the students have to start their computers from a bootable USB-stick containing a Debian-built system when they are doing tests. I tried with F12 to get the boot menu but i couldn´t see the USB-stick in the boot menu. Then I disabled Secure Boot in UEFI/Bios and then I got more problems. I couldn´t boot anything, Bitlocker refused to start even Windows. I had to enable Secure boot again. Is it possible to boot from an USB flash drive with both Bitlocker and Secure boot enabled?

3 Replies
Highlighted
gulbaz ilyas
1 Copper

Re: Is it possible to boot from USB with the Secure boot ena

no its not possible until you turn secure boot off

 

0 Kudos
ejn63
4 Ruthenium

Re: Is it possible to boot from USB with the Secure boot ena

While it depends in the specific model (Vostro 15 covers a multitude of different ones), YES, it is possible to boot a flash drive with secure boot ON.  The flash drive must be UEFI-compatible (which is liikely the problem).  You'll need a fairly new version of UNIX/Linux to have the UEFI boot option available.

 To boot a non-Windows OS, you will need to turn off bitlocker, though.

 

0 Kudos
jphughan
5 Tungsten

Re: Is it possible to boot from USB with the Secure boot ena

Ok, there are a few things in play here.

First, yes it is possible to boot from a USB drive while Secure Boot is enabled -- but as ejn63 says, the USB drive must use a FAT32 partition, the system must attempt to boot from the USB drive in UEFI mode (which it always will if Secure Boot is enabled), and the USB drive must contain a bootloader that is actually trusted by Secure Boot.  On the Windows side, Win8 and newer use trusted bootloaders, and I know that newer versions of Ubuntu do as well, but I don't know about Debian.

The reason BitLocker had a problem when you disabled Secure Boot is because with the default operation of BitLocker, the TPM stores the decryption key so that you don't have to enter it every time the system boots -- but the TPM only releases the key if the system passes a "platform integrity check" at boot.  That check looks at various aspects of the hardware environment to make sure that nothing has changed in a way that might allow the decryption key to be compromised if the TPM released it.  Changing certain hardware devices, BIOS settings, and even updating the BIOS all count as a hardware change that will trigger a platform integrity check failure.  At that point, BitLocker prompts for a Recovery Key instead, basically requiring YOU to supply the decryption key in order to decrypt the drive since the TPM has refused to do so in that situation. If you had supplied that, your system would have booted and the system would have "resealed" with the new hardware configuration and trusted that going forward -- but it would NOT have trusted the previous configuration anymore, so if you had gone back and enabled Secure Boot later, you'd have had to enter the Recovery Key again the first time you booted from the hard drive afterward.

Incidentally, if you haven't backed up your Recovery Key, you absolutely should, because there are times you may need it, such as after a BIOS update or motherboard replacement, or if you ever need to recover data from another system because yours completely died.  You cannot always count on the TPM to decrypt your drive for you.

0 Kudos