YellowKey fully bypasses Microsoft BitLocker encryption on affected Windows PCs: Bitcoins, personal data at risk

Nightmare-Eclipse has released YellowKey, a software bypass that unlocks all affected BitLocker encrypted disks without needing users to enter their passwords. The hack leverages code left behind in the WinRE environment to turn off BitLocker encryption while booting into the recovery environment. Windows 11 and Windows Server 2022 & 2025 systems are affected, but not Windows 10 systems due to differences in WinRE.

All owners of Windows 11 systems who store valuable cybercoins, password lists, and confidential personal data on their BitLocker encrypted computers should strongly consider moving them immediately into an encrypted drive or folder secured by another tool, such as 7-Zip using AES-256 encryption or VeraCrypt using more than one encryption method.

Once the YellowKey files have been downloaded onto a USB drive, or simply copied directly into the EFI partition of any target BitLocker encrypted drive, simply booting into the Windows Recovery Environment while holding down certain keyboard keys will immediately unlock all vulnerable drives, allowing hackers and thieves full access to all data.

The hack works by triggering WinRE to enter a test mode that automatically unlocks BitLocker encrypted drives, then a FailRelock flag can be set to skip relocking of BitLocker drives before giving the attacker full command-line access. This code flaw does not exist in the Windows 10 WinRE environment, but other recent versions of Windows may be similarly affected.

Microsoft has not yet acknowledged the BitLocker hack nor released a fix. Users can check whether their drive is using BitLocker encryption using these steps, and businesses should consider all confidential data stored in affected systems to be fully at risk.