YellowKey exploit: BitLocker bypass warning

The YellowKey exploit just punched a hole in Windows 11 BitLocker, so if you rely on default BitLocker to protect your laptop data, you'd better pay attention because a researcher called Nightmare-Eclipse published a zero-day bypass this week. And it lets anyone with physical access unlock your encrypted drive in seconds. No password needed. But no recovery key. Just a USB stick and a few keystrokes.

How the bypass works

The trick is a custom folder called FsTx. You copy it to a USB drive, plug it into a locked Windows 11 machine, boot into recovery, and hold [Ctrl]. A command prompt pops up with full drive access. That should not happen. Normal recovery demands a BitLocker recovery key. YellowKey skips it.

Multiple researchers confirmed it. Kevin Beaumont and Will Dormann both verified the exploit behaves exactly as described.

The technical guts

Dormann, a senior principal vulnerability analyst at Tharros Labs, dug into the mechanism. He found something weird. The FsTx folder on a USB drive can delete a critical file on a different drive during recovery. That file normally launches the Windows Recovery environment. Once deleted, the system gives you a command prompt instead, with BitLocker already unlocked.

“Why can the presence of a \System Volume Information\FsTx directory on one volume affect the contents of ANOTHER VOLUME when it’s replayed?” , Will Dormann

Dormann thinks that buried lede is a separate vulnerability in itself: one volume rewriting another volume’s system files.

Who is at risk

This only affects Windows 11 default BitLocker mode. That mode stores your encryption key in the device’s TPM chip. No additional PIN. No password. It is the most common configuration for consumers and many businesses. If you have ever enabled BitLocker without setting a startup PIN, you are exposed.

• Attack needs physical access to your device.
• It is unclear whether a BIOS password provides protection against this exploit.
• Works only on Windows 11, and has not been reported on older versions.

What security pros have long warned

For years, TPM-only BitLocker has been called insufficient, security experts have repeatedly advised adding PIN at boot time because that PIN would be required before TPM releases decryption key, but default protection was never enough. YellowKey proves it's right.

Beaumont recommended a BIOS password. But the source notes it's unclear how that actually stops YellowKey because the bypass runs from within Windows recovery and may not respect BIOS locks.

Microsoft’s response

No patch is available. No advisory has been issued. But a Microsoft representative declined to answer emailed questions, and the company only said it's investigating, so for now, default BitLocker on Windows 11 isn't providing the protection it promises.

“People should know that at the moment, BitLocker on Windows 11 isn’t providing the protection it’s supposed to.” , Ars Technica report

What should you do tonight

Real talk: if you lose your laptop or have it stolen, an attacker can now read everything. That means personal files, business documents, saved passwords. The risk is real.

• Enable a BitLocker startup PIN. Go to Group Policy or use manage-bde to require a PIN before boot.
• Consider full-disk encryption outside of default Windows 11 BitLocker. Third-party tools often require a pre-boot password.
• If you manage devices for a small business, enforce a BIOS password and a BitLocker PIN today.

Don't wait for a patch. Microsoft is investigating, but there's no timeline, and because YellowKey is already in the wild and the exploit code is published, anyone can download it.

The bottom line

Default BitLocker was convenient. Convenience just cost you security. If you value your data, add a PIN now. The YellowKey exploit is not theoretical. It works. And your encrypted drive is open until you change the defaults.