1

Note: Below are some information from searching around the Internet. To skip to my main question, go to the last line of this post.

I've been searching around on how to change the Volume Master Key (VMK) in BitLocker. Thus far, I have not been able to find any information on how to do so. The closest we can get is from the BitLocker Drive Encryption Technical Overview with the following passage.

When BitLocker is re-enabled, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the volume master key is keyed and encrypted again.

Does this mean that the VMK is regenerated? The confusion here is the use of the word "keyed" instead of "rekeyed". More specifically, we can find that in the same page, we also have the following passage.

the addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised.

The intentional use of the word "re-keyed" and "keyed" gives the impression that they have different meaning, which led to my confusion. With this information in mind, my question is as follows.

How does one go about changing the Volume Master Key (VMK)?

nehcsivart
  • 133
  • 5

1 Answers1

0

The diagram in the page you linked demonstrates the functionality quite well. The idea is that the authentication mechanisms are all capable of decrypting the Volume Master Key (VMK), which then in turn can unlock the Full Volume Encryption Key (FVEK).

The idea behind this is that, if any of the individual authentication parts are compromised, the VMK can be changed without having the re-encrypt all of the data on the disk. Essentially, you can just change the VMK and re-encrypt the FVEK with it.

BitLocker itself does not provide any functionality to change the FVEK, as it would require decrypting and re-encrypting the entire volume. The only way to re-key appears to be to fully decrypt the volume and re-encrypt it.

Changing the VMK, however, is certainly possible. When BitLocker is put into disabled mode, the VMK is encrypted with a randomly generated surrogate key, which is stored in cleartext on the disk during this time. As the VMK is essentially not protected during this time, BitLocker automatically generates a new VMK after it is enabled again.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Yes, I understand the Architecture of BitLocker. My question asks about **how** one goes about changing the Volume Master Key (**not** Full Volume Encryption Key). – nehcsivart Aug 24 '15 at 11:42
  • My bad - I somehow misread that entirely. I'll edit that in. – Polynomial Aug 24 '15 at 13:05
  • I see the update. So it seems term "keyed" and "rekeyed" mean the same thing here. Was hoping there can be a way to update the VMK to a new random key manually with some sort of command. Oh well =/ – nehcsivart Aug 24 '15 at 19:21