8

My team at work was recently working on encrypting some hard drives using Microsoft's BitLocker on Windows 7 hosts. The initial encryption for the 2TB drives took several hours to complete. This is all fine and dandy.

What is concerning me however, is that upon changing the password, the process was instantaneous. This doesn't make sense to me, since I assumed that BitLocker was using my provided password (or some hashed derivative) to actually perform the encryption. If that were the case, then the drive should require complete decryption followed by re-encryption (a several hour process, right?).

So how does BitLocker actually encrypt the data? Does it use some secret value hidden in the depths of the Windows code to perform the encryption? And if so, is my password merely a check to see if Windows will permit decrypting? If so, what protection am I really getting from BitLocker, since a stored encryption key is a breakable encryption key...

Sam
  • 183
  • 1
  • 5

2 Answers2

14

BitLocker uses something called surrogate keys. The data on the disk is encrypted with a random key (surrogate key), and that key is then encrypted with a second key derived from your password (header key). The encrypted surrogate key is then stored in the volume header.

When you type your password in, the system derives the header key from it, then uses that to decrypt the surrogate key, which is in turn used to decrypt the data. Changing your password just re-encrypts that volume header with a new header key, rather than the entire disk.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 1
    So if a password is compromised, an attacker could obtain the surrogate key and then still access the drive even after the password was changed, right? – Will M Sep 05 '14 at 03:02
  • 2
    Yes, if the surrogate key is compromised, changing the password doesn't help because ultimately it's the surrogate key that actually protects the data. You'd probably have to decrypt and reencrypt to force it to generate a new surrogate key. – tlng05 Sep 05 '14 at 03:16
  • @WillM That is a real threat in most storage encryptions. I was looking into that problem one decade ago. I found a solution, which would work in theory, but would come with a performance overhead. The idea is that each time a sector is written, a new key is generated for that one sector. A few such keys are grouped together and encrypted with a generated key. This way a tree structure is formed and the root is stored in memory and encrypted asymmetrically on disk. The naive disk layout would be inefficient and prone to data loss in case of power loss during an update. – kasperd Sep 05 '14 at 06:52
  • @WillM A log structured layout on disk would be required to make my scheme efficient and avoid the data loss problem. As far as I recall I calculated the optimal fanout in the tree structure to be 3. But 2 or 4 may be more practical to implement and about the same efficiency. The root could be encrypted with RSA and public exponent 3 to reduce the number of multiplications needed when writing. Multiple writes could be grouped such that the root doesn't have to be rewritten after every written sector. – kasperd Sep 05 '14 at 06:56
2

Just to elaborate a bit on the original answer. There are actually two "surrogate" keys. There is something called the FVEK (Full Volume Encryption Key) keys derived from which are actually used to perform encryption of data on the disk and then there is a MVK (Master Volume Key) which is used to encrypt the FVEK in the header. It is the MVK which is then encrypted by the keys used to access the volume, such as the password derived key, recovery key, recovery password, TPM password or USB key. If one of the last level keys is compromised and the attacker has had access to the disk while that key was being used then yes the whole structure is compromised.

On the other hand if the password is compromised but you have retained control over the disk (and no one made a backup of your header ahead of time) then just changing the password reencrypts the MVK and the MVK encrypted by the old password is deleted.

DRF
  • 384
  • 3
  • 7