Have a look in the article
BitLocker Drive Encryption Technical Overview.
The section
BitLocker Architecture
contains a nice diagram and this text:
Figure 1 shows how the BitLocker-protected volume is encrypted with a full volume encryption key, which in turn is encrypted with a volume master key. Securing the volume master key is an indirect way of protecting data on the volume: the addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised. This ability to re-key the system saves the expense of decrypting and encrypting the entire volume again.
The idea is that the authentication mechanisms are all capable of decrypting the Volume Master Key (VMK), which then in turn can unlock the Full Volume Encryption Key (FVEK).
This means that if any individual authentication part is compromised, the VMK can be changed without having the re-encrypt all of the data on the disk, by changing the VMK and re-encrypting the FVEK with it.
BitLocker itself does not provide any functionality to change the FVEK, as it would require decrypting and re-encrypting the entire volume, but
changing the VMK is possible.
Doesn't the idea of changing the VMK only make sense in the case that an attacker gains access to the VMK by means of a KP (authentication mechanism; although a TPM doesn't provide any authentication), but then cannot get SYSTEM to dump the FVEK? Otherwise, it won't help to chance the VMK? – Shuzheng – 2019-08-05T12:12:23.437
Also, are the FVEK used to it encrypt multiple volumes, if the computer has multiple hard drives? – Shuzheng – 2019-08-05T12:15:35.033
BitLocker can encrypt multiple drives (helpful link. Changing the VMK is a quick remedy if other keys were compromised.
– harrymc – 2019-08-05T12:32:27.547Yes, but in a complete system compromise, changing the VMK would provide no value would it? It only makes sense for a unprivileged or partial system compromise, right? – Shuzheng – 2019-08-05T13:02:13.507
In this case a full re-encryption is required. This is safer, but much much slower. – harrymc – 2019-08-05T13:35:10.670
Thank you, done – Shuzheng – 2019-08-05T13:45:43.943