1

I have a laptop with the system disk encrypted by Bitlocker. Bitlocker is configured to require a pre-boot pin, and unlocks by TPM. The recovery key is required to unlock and is not available atm. The recovery key should be stored in the TPM though. I would like to try a recovery of the keys from the TPM through a cold-boot-attack at a later point in time (as described here).

My Question is: Would it endanger the key-recovery if I keep using the same laptop with a different system drive?

Some further information: The Laptop is an Acer Aspire v3-571g from 2012 and only runs legacy BIOS. My brother is the legitimate owner of the data on the system drive and he would like to keep using his old laptop until he can get a framework here in Germany. The pre-boot PIN is still working fine. The recovery-key was printed out at creation and probably lost during a move. Most data was backed up but a few month are missing. From my understanding it should be fine to use the laptop with a fresh SSD because the keys should stay in the TPM to be loaded into RAM once the encrypted hdd gets plugged in again but since I’m by far no expert when it comes to encryption and TPM stuff I would really appreciate some other peoples thoughts on this matter. If it is of importance I could probably get the exact TPM model but as of writing this, I don’t think that should make a difference.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
Thies
  • 11
  • 1
  • May be just a naming problem, but the key protected by a TPM is not a recovery key, this is a regular key that can be used to decrypt the volume master key and thus the Bitlocker volume. A recovery key is as far as I remember a long password used to decrypt a different key slot on the Bitlocker volume. Using that key you can also decrypt the volume master key and decrypt the volume data. – Robert Nov 23 '21 at 19:55

1 Answers1

1

Typically the TPM is keyed to bios settings and hardware pieces and settings and the boot executables on the disk. If any of that changes, the TPM will not release its key and it is specifically designed to not be attackable with a cold boot or otherwise. Possibly if you change everything back to the previous config, the tpm will work again.

Swapping the drive probably will not affect the TPM, but if you reset the bios settings, the tpm is cleared.

If you can find the recovery key, you should be able to unlock the hard drive without the TPM, even on different hardware.

user10489
  • 1,217
  • 1
  • 3
  • 13