Securely extending Surface RT with an SD card and BitLocker

I bought myself a Surface RT the other day and I’m loving it however one thing that I wanted to do is expand the built in storage using a SD card. Unfortunately this is one area where the Surface is a little less than helpful, I can happily plug in a micro SD however getting my content to automatically use it is another matter.

Integrating SD cards with libraries

The first challenge is getting the SD card to be seen by Windows as the default location for things and to allow apps to find content on it. In theory you can do this by adding the SD card into the Windows libraries for music, pictures etc.

However, you can’t add removable media to libraries. This is quite easy to work around thankfully and has been documented elsewhere. To save you going looking here is my solution.

First I reformatted my SD card with NTFS, you’ll need to do this to set permissions later.

Next I created top level folders for Public and Rob (myself), remember this is a multi user device so I want document isolation.

Inside each of these I created the folders for music, pictures, documents and videos.

I set the ACLs on each of the top level public and user folders to match those on the system drive in C:\Users, this took a while but had to be done for security. You could looking into using robocopy to copy the original folders and ACLs, that might save time.

Next I ran disk management (from search or win-x -> computer management) and removed the drive letter from the SD card. I created a folder on C:\ called SD and then added a mount path to that location.

Once that was all done I was able to right click each library, go to properties and add the new locations to each library. I set the new public and rob folders as the defaults for public and current user respectively.

Job done, now I can move all my content from the C drive to the SD and apps will see it, since I changed the default any music I download etc. will save there by default. However, I’d suggest if you’re going to BitLocker the SD card you wait until after that before you start copying data over onto the SD, it’ll be quicker enabling BitLocker.

Security

I mentioned security above where I said I set up ACLs on the folders, however that’s only half of the story. This is a removable disk with my personal data on it, I really want it encrypted.

Luckily and mostly unknown to people the Surface has a TPM and comes with BitLocker enabled out of the box. Great, I can BitLocker by SD card.

Except Surface exposes no UI for it and as it turns out the manage-bde command won’t let you do it either, failing with the message that this version of the OS doesn’t support that when trying to encrypt. I have no idea why, it really should support encrypting removable (or in this case semi-permanent) storage, it has a TPM and seems quite arbitrary.

No worries though, I simply put the SD card into my desktop machine which is running Windows 8 Enterprise (or Pro will do), right clicked it and selected enable BitLocker. I set a password and backed up the key to a file.

Putting the SD back in the Surface didn’t auto unlock so I had to go the command line here.

I started an elevated command prompt (win-x) and then executed the following:

manage-bde -unlock c:\sd -password

I then entered my password and it was unlocked. Ideally though I want this to happen automatically at reboot.

Automatic unlocking

Again this is an area where things are missing, the -autounlock option on manage-bde doesn’t work on this version of Windows so I had to create an unlock script.

This was quite easy, I created a new .bat file on my C drive in my user documents folder on that disk, this script simply contains the above unlock command with a slight change, rather than using -password I use -rp to use a recovery password. This let’s you specify it in the command line. You ne to get the recovery password from the file saved out when you BitLockered the SD, its the big long number at the end of the text file. Just put that after the -rp option.

It looks something like this, where the xxxxxx-xxxxxx bit is your recovery key. Some people in the comments have had success with -rk instead of -rp but -rp works for me.

manage-bde -unlock c:\sd -rp xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

Next I used the Windows task scheduler which you can get to from computer management (win-x) to create a new task. This task was set to run as me, with max permissions (needs elevation) and triggered to run at startup. The action for the task was to run my .bat file.

Now when I reboot my machine automatically unlocks my SD but I’m safe in the knowledge that someone needs a logon to my Surface to access it and if they remove it they need the password for the SD to unlock it.

The final step

This one’s optional but if like me you’re not planning on removing the SD (which I’d really recommend once you’ve added it to your libraries, things gets upset if you do), then you might want to enable write caching on the SD.

Just run up device manager, again win-x is your friend, expand Disk Drives and go to Properties on the SD Memory Card. Select Policies and “Better performance”. Note that with write caching enabled you *must* use the safely remove hardware feature on the notification area on the desktop before ejecting the SD card. If you don’t you might lose data which hasn’t been flushed from memory to the SD.

15 thoughts on “Securely extending Surface RT with an SD card and BitLocker

  1. I can not auto unlock: (

    An example please

    This correct?
    manage-bde -unlock C:\Users\Alysson\MicroSD -rp “C:\Users\Alysson\123456-123456-123456-123456-123456-123456-123456-123456.bek”

    • Hi Alysson,

      It looks like you’re using a bek file which I think is the actual key file rather then a password. Try using -rk instead of -rp and see if that works.

  2. Hi,
    Is this correct, My SD card is the E:\ drive on my surface RT, my bat file has the following;

    manage-bde -unlock e: -rk xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    But when run at startup it does not unlock the SD card

    Thanks
    Wayne

    *edited to delete the recovery key – Rob*

  3. Thank you, your article was perfect.

    I used it to similarly configure my Lenovo Tablet 2 with the SD card expansion. BTW, on my Windows 8 Pro it DID let me turn on “AutoUnlock On” on the SD card (mapped like yours to a folder on C with no remaining drive letter mapping). But, just in case, I installed the batch file anyways, I didn’t want it to fail.

    For those confused, the batch command can be written as:
    manage-bde -unlock c:\sd -rp

    • The HTML parser edited my batch line, it should read:

      manage-bde -unlock c:\sd -rp [really-long-recovery-password-numbers&dashes]

    • Windows 8 Pro has the option to autounlock but Windows RT doesn’t unfortunately. On Pro you shouldn’t need the batch file I’d have thought so should be ok to skip it.

  4. Thanks, great job on the guide!

    But, how do you check the amount of free space with this solution? I used an extra drive letter but maybe you know otherwise?

    • Thanks. You can check the space by selecting properties on the mount point in explorer and then clicking the properties button next to “Type: Mounted Volume” in the properties window. That’ll open the regular properties window you normally get from a drive letter.

  5. Thanks for the comments, I’ve updated the article to include the actual command line I use in the unlock batch file and also to mention using robocopy to copy the original folders ACLs.

  6. Fantastic article! Thank you!

    This goes to show the versatility of command line even in the new ages! Anyone in IT should have the basic knowledge of cmd no matter the version of Windows.

    As technology advances, we evolve into gui. But Cmd line is still the basis of it all! I feel sorry for the next generation as gui kids.

    Keep it alive my brother!

    [Rook~]

    • I agree, lots of really useful stuff in PowerShell and the Windows cmd line. Fortunately it looks like you don’t need to do this any more with Windows 8.1, it can auto unlock SD cards now and has an option to move your photos, movies and music to the SD although I still just manually changed the folder locations since I want documents etc on my SD too.

      Nice to have the options though.

  7. I don’t know if this works but does this apply to you:
    http://answers.microsoft.com/en-us/windows/forum/windows_rt-security/how-to-encrypt-sd-card-on-windows-rt/687485db-e9ac-4070-a21c-cd6680bfbd4e

    “On Windows RT and Windows RT 8.1 when you are prompted to enter the decryption password for a USB or MicroSD card that has been encrypted with BitLocker, you can click on the “More Options” link and can set that device to trust the computer you have it plugged in to (in this case a Surface RT or Surface 2 which runs RT) and have it auto-unlocked when connected.”

  8. Excellent article, it told me what I needed to know. But I suspect some details are now out of date with respect to Windows RT 8.1. First, it seems to be no longer true that removable media cannot be added to libraries – they can indeed be added. Second, “manage-bde -autounlock” now appears to work fine.

    • Yep you’re right, most of this isn’t really needed any more as 8.1 fixed most of these issues.

Comments are closed.