What is the correct way to remove bitlocker secrets from a TPM when returning a device for warranty?

Question

Note: This is not a question about how to preserve data on a device that is returned for warranty. Rather, this is a question about how to ensure that the encrypted remnant data on the device is not accompanied by decryption keys when the device is returned for warranty.

I have a Surface Pro 2 that has to be returned for warranty. It is still operational except that it reboots when you move it in just the right way.

When the device was deployed, the drives were encrypted using bitlocker. The encryption took place prior to writing any sensitive information to the drives. For this question, let's assume that I trust the device and Microsoft and that the device hasn't been pwned by way of some vulnerability or software that has been installed.

TPM Secrets

This device has relied on the security of the TPM to protect the sensitive information in case the device was stolen. As I understand from this Chris Tarnovsky's presentation it is probably feasible to read the secrets from a TPM.

Since this is not a theft it seems like it should be possible to delete the secrets from the TPM and avoid that whole vulnerability.

`Suspend-Bitlocker`

Windows allows you to Suspend-Bitlocker which "makes the encryption key available in the clear." This seems to be what Windows defaults to when you manage the TPM from Windows. Obviously, I don't want to send the device back for warranty with bitlocker suspended.

Questions

What secrets reside on the TPM which, if compromised, could be used to decrypt the contents of the drive?
How can I ensure that the secrets are removed from the TPM?
Is there a way to remove the secrets from the TPM in a way that avoids Windows making the encryption key available in the clear?
Are there other precautions that I should consider taking prior to sending the device back for warranty?

Is there a reason that you don't backup your data and remove the data from your machine? — Neil Smithline, Dec 03 '15 at 04:53
@NeilSmithline I don't see how making a backup would reduce the likelihood of sensitive data being recovered by an attacker. What did you have in mind for "removing the data"? It's [not generally possible to securely wipe files from modern computers.](http://security.stackexchange.com/a/7072) — alx9r, Dec 03 '15 at 05:42
I think formatting the entire drive still works but an not certain. You may be right. In not sure. — Neil Smithline, Dec 03 '15 at 06:00

score 1 · Accepted Answer · answered Dec 09 '15 at 20:51

Windows Refuses to Part with Bitlocker Secrets it Relies on to Boot

I did not find any official documentation from Microsoft for how to clear bitlocker secrets from the TPM without a copy of the secret being written to the volume in cleartext. I tried to delete the bitlocker secrets using commands running within the instance of Windows the secrets were protecting. Every effort I made to do so failed. It seems you can clear the secret from the TPM, but only once that secret is written to the volume it is protecting in cleartext. I suppose this is to prevent TPM users from inadvertently ending up in a state where they cannot unlock their bitlocker-protected system volume.

In other words, any given Windows installation refuses to part with the bitlocker secrets it needs to boot. I really wish I could find some official guidance on how to correctly clear bitlocker secrets from a TPM that is physically attached to the storage it is protecting. This arrangement is common on many modern tablets and notebook computers, but I couldn't find any published best practice for decommissioning such a device.

It Seems like Another OS Installation Can Clear the Bitlocker Secrets

I did determine that it seems another OS installation that boots on the same computer can clear the TPM. If that is the case, clearing the TPM of its secrets without them being written to the volume in cleartext should be achievable by booting to another OS and clearing the TPM from there.

Premise and Procedure

Note: I am neither expert at Windows security, nor am I knowledgable enough about the inner workings of TPMs or bitlocker to confirm that this premise is correct or this is an effective procedure.

This procedure is based on the following premise:

When bitlocker is enabled in TPM mode the only copy of the bitlocker secret on the device resides in the TPM.
When an operating system not protected by the TPM is booted on the device, it can clear the TPM without accessing the secret in the TPM.

If the above premise and my reasoning is correct, the procedure to completely clear the bitlocker secrets from the device is as follows:

Boot to the instance of Windows protected by bitlocker.
Ensure that bitlocker is "on" for all drives. (If bitlocker is not turned on, then either the data on the drive or the secret that can be used to decrypt the data is in cleartext on the drive. If that is the case, this procedure won't help you.)
Shut down the computer.
Boot the computer to another OS without entering the TPM pin.
Clear the TPM from the OS you booted to in step (4).

The system BIOS in _most_ computers (which have or can accept a TPM) also has a function to clear the TPM. — Michael Hampton, Aug 13 '16 at 06:48

score 0 · Answer 2 · answered Dec 03 '15 at 05:59

0

Pardon me if I'm incorrect but TPM will only hold the cryptographic keys and not the data. User and manufacturer keys are stored on different parts of the TPM. Resetting TPM (and the keys) should be enough- https://technet.microsoft.com/en-us/library/cc753694.aspx and http://www.dell.com/support/article/ly/en/lydhs1/SLN155219/en

I cannot post over 2 links, however the Wikipedia article gives a brief overview of TPM architecture, keys stored on TPM and it's corresponding uses.

answered Dec 03 '15 at 05:59

Parth Maniar

349
1
10

Both of those links refer to procedures that AFAICT write the keys to the disk in plaintext. – alx9r Dec 03 '15 at 06:14
1

Just read the Microsoft link again. I don't see where it dumps the keys to the disk. – Parth Maniar Dec 03 '15 at 06:25
Hmm...I thought I tested that procedure with the result that Windows can still reboot after clearing the TPM. Now I'm not so sure. I'll have to test this again to be sure. – alx9r Dec 03 '15 at 06:41
I just tested [this procedure](https://technet.microsoft.com/en-us/library/cc753694.aspx) on Surface Pro 2. What this actually does is "enable, activate, clear, enable, and active the TPM." I suppose the purpose is to clear everything but bitlocker keys. The device behaves exactly the same after clearing as before: Boots to bitlocker PIN prompt, enter prompt, Windows boots, bitlocker is shown as enabled. Clearing the TPM definitely does not clear the system volume bitlocker key from the TPM. – alx9r Dec 09 '15 at 18:33