Screenshot of the "manage BitLocker" screen in Windows 11's control panel. We can see that BitLocker is turned on for drive C.

Is BitLocker broken? What's this about Yellow Keys?

What happened? 🗓️

On Tuesday 12th May (last week), an individual known as Nightmare Eclipse released a proof of concept exploit called "YellowKey" that allowed someone in possession of a device encrypted with BitLocker to decrypt the drive. No recovery key required.

The exploit, available on GitHub, involves putting a collection of files onto a USB stick, then rebooting Windows in recovery mode. Usually this would prompt for a recovery key, but in this case the drive is simply unlocked.

Nightmare Eclipse hasn't shared exactly how and why this works yet, but if you're running Windows 11 then the exploit will work on your devices. Windows 10 is not affected.

We require a PIN to unlock BitLocker, so we're fine, right? 🔐

While the exploit isn't published yet, Nightmare Eclipse has indicated that they have an exploit that would defeat the TPMandPIN BitLocker configuration too.

Is it time to panic? 😱

Well, that depends on your threat model. BitLocker is still a very useful layer of defence, and turning it off would be worse than having it on.

In order to access your data an attacker requires physical access to your device. They have to be able to plug a USB stick in and tell Windows to enter recovery mode.

If your team regularly leaves laptops unattended, and you know you're being targeted by attackers that could access your equipment, you may consider this a greater risk.

Regardless, panic rarely helps anyway.

What should I do? 🤔

I've never heard of "Nightmare Eclipse" 🕴️

You may also see Nightmare Eclipse referenced as Chaotic Eclipse, Chaos Eclipse, and Dead Eclipse - they seem to use multiple aliases across GitHub, their blog, and elsewhere.