When changing a key protector, a new VMK will be created and used to encrypt the old FVEK with the new VMK. The use of intermediate key (VMK between FVEK and any key protectors) allows changing the keys without the need to re-encrypt the raw data in a case a given key protector is compromised or changed. The volume master key is in turn encrypted by one of several possible methods depending on the chosen authentication type (that is, key protectors or TPM) and recovery scenarios.ĭoes the VMK in this scheme looks redundant? It has its purpose. Let’s dig into more details about the various encryption keys used by BitLocker to protect your data and the encryption key.īitLocker implements staged protection and employs multiple keys, each serving its own purpose.Īccording to Microsoft, raw data is encrypted with the full volume encryption key (FVEK), which is then encrypted with the volume master key (VMK). The Introduction to BitLocker: Protecting Your System Disk describes how BitLocker works from the user’s perspective. Learn how to approach BitLocker volumes depending on the type of protector. Attacking the password is only possible in one of these cases, while other protectors require a very different set of attacks. BitLocker volumes may be protected with one or more protectors such as the hardware-bound TPM, user-selectable password, USB key, or combination thereof.
BitLocker is well-studied and extensively documented solution with few known vulnerabilities and a limited number of possible vectors of attack. BitLocker is one of the most advanced and most commonly used volume encryption solutions.
0 kommentar(er)
