Summary of "Yellow Key: BitLocker has been Broken! Don't lose your laptop!"

Overview

Yellow Key (also known as Nightmare Eclipse / Chaotic Eclipse) is a newly disclosed BitLocker bypass released May 12. It is presented as a practical “physical-access-like” attack that can undermine BitLocker without breaking encryption itself.

What the bypass is said to do

Does not require:
- A password
- BitLocker recovery key
- TPM sniffing
- RAM imaging
- Hardware modification (e.g., “soldering iron”)
Public proof-of-concept (PoC) is available on GitHub.
The attack is described as not cryptographically breaking BitLocker:
- AES is not broken
- TPM is not “made useless”
Instead, it appears to abuse the Windows Recovery Environment (WinRE), specifically behavior tied to transaction repair handling in the FSTX folder.
This can allegedly trick WinRE into mounting BitLocker-protected volumes read/write during recovery, meaning the attacker is effectively leveraging the “trusted” recovery workflow.

Affected systems (as stated)

Impacted:
- Windows 11
- Windows Server 2022
- Windows Server 2025
Not impacted:
- Windows 10

Claimed impact / why it matters

Many default BitLocker + default TPM configurations may be silently unlocked, because those setups are designed for recovery convenience.
The video emphasizes this is not:
- a “downgrade” attack
- a hardware TPM attack
However, it may still be very effective: a prepared USB stick, a recovery boot, and the right recovery trigger path could allegedly yield access such as an admin shell with full access to the encrypted volume.
Mentions reports of reliability with practice and claims of active exploitation.

Context about “back door” claims

The speaker cautions against calling it a “back door”, suggesting it could instead be forgotten debug/recovery shortcuts/test hooks—features or logic that survive into production and look malicious in hindsight.

Main speakers / sources

Dave (speaker in the video)
Source attribution referenced:
- Nightmare Eclipse / Chaotic Eclipse (original disclosure)
- GitHub (where the public PoC is reportedly posted)
- Independent testers (mentioned for reliability claims)