What extra does the Master Volume Key provide in BitLocker?

From this FAQ, I understand that BitLocker uses the following keys to encrypt the hard-drive:

  • Full Volume Encryption Key (FVEK) (used to encrypt raw data; encrypted by the volume master key and stored on-disk)
  • Volume Master Key (VMK) (encrypted by a key protector and stored on-disk)
  • Key Protector (KP) (TPM or numerical password)

I don't understand what security value the VMK provides. Why not just encrypt the FVEK directly using KPs?

In any case, if a KP leaks, the FVEK can be obtained anyway?

1 Answer

Have a look in the articleBitLocker Drive Encryption Technical Overview.

The sectionBitLocker Architecturecontains a nice diagram and this text:

Figure 1 shows how the BitLocker-protected volume is encrypted with a full volume encryption key, which in turn is encrypted with a volume master key. Securing the volume master key is an indirect way of protecting data on the volume: the addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised. This ability to re-key the system saves the expense of decrypting and encrypting the entire volume again.

The idea is that the authentication mechanisms are all capable of decrypting the Volume Master Key (VMK), which then in turn can unlock the Full Volume Encryption Key (FVEK). This means that if any individual authentication part is compromised, the VMK can be changed without having the re-encrypt all of the data on the disk, by changing the VMK and re-encrypting the FVEK with it.

BitLocker itself does not provide any functionality to change the FVEK, as it would require decrypting and re-encrypting the entire volume, but changing the VMK is possible.

6

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like