Microsoft Bitlocker - Using my own encryption/decryption key

Question

Is it possible for me to use my own encryption or decryption key and update it whenever is possible?

Answer 1

Thankfully no. The actual keys used to encrypt the data volume are randomly generated securely anyway. These keys are normally stored in the TPM and will be released when the TPM's integrity check is done on pre-boot components and settings. Note that the TPM key has nothing to do with the Windows user account and password (you can always add and remove Windows accounts and it would not affect Bitlocker).

It will become a security issue if the user could somehow access the keys in the TPM via a software interface (and in your case, change the encryption/decryption key). Luckily this is not possible, which leads us to trust the TPM as a hardware-based solution.

You may refer to the Bitlocker technical overview for more information. Notice that there are multiple keys at play, not just one key.

http://technet.microsoft.com/en-us/library/cc732774(v=ws.10).aspx

For Bitlocker To-Go (i.e. Bitlocker for removable drives), we don't want the removable drive to be tied to the TPM, since the drive should be readable on different machines. Therefore, you set the password of the Bitlocker drives which determines the key that encrypts the volume key. The reason why such a scheme is used is for the user to change his password easily without having to re-encrypt the entire data volume (i.e. just need to re-encrypt the volume key).