How are Bitlocker FDE keys stored in the TPM?

Question

If you are using Windows 10 Pro Bitlocker FDE with a TPM and enhanced PIN (= passphrase):

---

How do the keys in the TPM get stored? Are they stored as plaintext or hashvalue or 'again' encrypted?

Answer 1

Plain text, but is stored on a "secure HDD" on the TPM.

Snippet from Microsoft website.

Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.

You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.

Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.

https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/tpm-fundamentals

Answer 2

Short "explain like you're five" answer: They're wrapped (encrypted) by the TPM, and stored in that form on the disk.

Long answer: The actual FDE key is generated when BitLocker is first "turned on" for a volume, and then immediately is "wrapped" (encrypted) with multiple "key protector" keys, and each wrapped "version" of the master key is stored on the disk in the BitLocker metadata area. The key protectors are the things you use to unlock the drive, and each one provides a way to get a key that can be used to decrypt the master key. For example, you probably have three key protectors: one each for the TPM, the "enhanced PIN", and the recovery key (long bunch of random digits that Windows made you save or print) - or possibly TPM+PIN are a single protector in this case. Certainly the recovery key's key protector key can be used alone to decrypt the master key, while the other protector(s) (PIN+TPM) are combined such that both are needed to decrypt the master key.

The PIN and recovery key protectors can easily be turned into actual encryption keys, used to decrypt the master key, by standard password hashing methods. For example, on the disk, in the BitLocker metadata, an enhanced PIN protector stores the plain-text info needed to hash the PIN (password hashing algorithm, work factor, and salt) plus the version of the master key that is encrypted (wrapped) with the PIN-derived key.

The TPM protector is trickier, and since I don't know the full details, there's some guesswork here. The most likely is that Windows instructs the TPM to generate and "load" (store internally, ready for use) a new key. This would probably be done with the TPM's CreatePrimary operation. This new key is encrypted with the TPM's internal "master storage key" (generated uniquely when the OS "takes ownership" of the TPM, and never leaves the TPM). The new key is also "sealed" to the state of multiple "Platform Configuration Registers" (PCRs) on the TPM, which certain measured properties of the system (the hash of the code executed early in the boot process, plus a few other things); it can only be "unsealed" when those PCRs contain the expected values (this prevents unsealing the key when the machine was, for example, booted from removable media). BitLocker uses the new key (stored within the TPM) to encrypt (wrap) the master key, and stores the wrapped master key in the BitLocker metadata on the disk, along with an identifier for that new TPM key (so that BitLocker can later decrypt the key, assuming the PCRs are in the correct state).

However, a few things could be different than described here. For example, the new key might itself (in "wrapped and sealed" form) be stored on the disk too. The TPM allows creating "loadable" objects (such as keys) and returning them for later loading on demand, rather than loading them persistently. Since the key is encrypted with secrets only the TPM can access, it can't be decrypted (unsealed) without the TPM, or if the TPM's PCRs are in an unexpected state. This would be done with the TPM's Create and Load commands. Alternatively, BitLocker might wrap (and seal) the master FDE key directly - or some version of it, in the situation where multiple inputs (such as TPM+PIN) are required - using the TPM, via the Create command. The result of such wrapping would be stored on the disk and loaded (so it can be unsealed, assuming the PCRs are right) on demand.

If anybody knows exactly how BitLocker uses the TPM, especially in combined protectors like TPM+PIN, and especially if you have sources, I'd love to know more. I've looked at the BitLocker design docs and even source code but it was over a decade and several Windows versions ago.