Windows Bitlocker Auto-Unlock on Non-System Drives
https://superuser.com/questions/992008/enable-bitlocker-auto-unlock-without-system-drive-encryption
Bitlocker can auto-unlock the system drive using a USB drive, TPM, etc; it also has an auto-unlock for data drives or removable drives but these auto-unlock only after the user logs in. For servers with services on non-system drives or the Windows Server Backup drive this means you'd have to login to the server after every reboot… not gonna happen.
Instead you can used a scheduled task to unlock the drive at startup.
The system drive must be encrypted using Bitlocker for this to work (or it's pointless since since your key won't be protected), we use a USB key to auto-unlock our system drives (a virtual USB drive that is mounted via NFS since our servers are virtualized).
Enable Bitlocker on the Z drive and record the key at c:\data\bitlocker by:
manage-bde -on Z: -usedspaceonly -recoverykey C:\data\bitlocker
(omit -usedspaceonly if you want to encrypt even the free space which is useful if the free space had data previously; the rest of the options should be set by group policy, e.g. encryption type/etc)
It will out something like:
[Data Volume]
Key Protectors Added:
Saved to directory C:\data\bitlocker
External Key:
ID: {9E790798-AED5-49AF-BF4E-5175BC7C5FC8}
External Key File Name:
9E790798-AED5-49AF-BF4E-5175BC7C5FC8.BEK
Encryption is now in progress.
In the folder c:\data\bitlocker there will be a hidden system file (you'll need to show hidden/system files to see it) named 9E790798-AED5-49AF-BF4E-5175BC7C5FC8.BEK
Copy this file to a safe place and document what it is, if your computer dies you won't be able to access this encrypted drive without it.
Check the status of the encryption process:
manage-bde -status
To unlock:
manage-bde -unlock Z: -RecoveryKey "C:\data\bitlocker\9E790798-AED5-49AF-BF4E-5175BC7C5FC8.BEK"
Now we want to automate the unlock process withing needing to login.
Create scheduled task with the following options:
Run as: SYSTEM with highest privileges. Trigger: On Startup, delay task for 1 minute Action: Start a program -> Program/Script: C:\Windows\System32\manage-bde.exe -> add arguments: -unlock Z: -RecoveryKey "C:\data\bitlocker\9E790798-AED5-49AF-BF4E-5175BC7C5FC8.BEK" Conditions: clear all
To test if the drive gets unlocked by this task you can create a shared folder on the encrypted drive. try to access the share from a different computer, once you verify it works reboot the computer with the encrypted drive, if it continues to work then the task/auto-unlock was successful, otherwise check your work.
Once you've verified it works change the permissions on the c:\data\bitlocker folder to allow SYSTEM only. Reboot and check again that everything works.