It looks like it is tantalizingly close to being able to be change, incase the key is compromised: "At this point it is worth taking a closer look at the encryption involved. A BitLocker volume is actually encrypted using a 256-bit AES key called a Full Volume Encryption Key. This key is encrypted using another 256-bit AES key called the Volume Master Key. It is this Volume Master key that is protected by a USB startup key or a PIN, or by the TPM. The advantage of having the Volume Master Key as an intermediate key between the Full Volume Encryption key on one side and a startup key or PIN on the other is that if the startup key or PIN are lost or compromised the system can be re-keyed with a new Volume Master Key - without the need to decrypt and re-encrypt the entire volume with a new Full Volume Encryption key."
>From link http://www.devx.com/Windows_Server/Article/39014 Perhaps there is more info on how to do this somewhere in there? Roland -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garrett M. Groff Sent: Friday, October 31, 2008 8:56 AM To: fde@www.xml-dev.com Subject: Re: [FDE] BitLocker question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I tried that to no avail. There's an option to disable volume encryption, an operation that does not decrypt the volume, but leaves the full volume encryption key (the "real" key that the startup key encrypts) in the clear on the disk. I tried disabling, thinking that if I turned around and immediately re-enabled encryption, I would have the opportunity to create a new startup key. However, when I re-enabled, BitLocker automatically produced an identical startup key. It's possible that decrypting and then re-encrypting the drive would work, but that's terribly time-consuming. G - ----- Original Message ----- From: "DPW 401" <[EMAIL PROTECTED]> To: <fde@www.xml-dev.com> Sent: Thursday, October 30, 2008 9:57 PM Subject: Re: [FDE] BitLocker question > Would removing keyed startup and then reinstating it create a different > key? > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >> On Behalf Of Garrett M. Groff groffg-at-gmgdesign.com |Donald Welker| >> Sent: Thursday, October 30, 2008 9:43 AM >> To: .................... >> Subject: [FDE] BitLocker question >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Stupid question... >> >> I have a machine for personal use that uses TPM-less BitLocker. I want >> to >> change the startup key (stored on a USB stick) for that machine, yet I >> don't see a way to do it via the interface or the command line >> (manage-bde.wsf). This is ridiculous! There's gotta be an easy way to >> do >> this. Ideas? >> >> G >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial >> use: www.pgp.com >> Charset: utf-8 >> >> wj8DBQFJCbmkSGIRT5oVahwRAnM8AKCOD4TnB7djqobOlQqfIWTlpoGfiQCg2EhH >> 6xzRYYONxBXSuhHe2bUUr5U= >> =RpIZ >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> FDE mailing list >> FDE@www.xml-dev.com >> http://www.xml-dev.com/mailman/listinfo/fde > > > > _______________________________________________ > FDE mailing list > FDE@www.xml-dev.com > http://www.xml-dev.com/mailman/listinfo/fde -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFJCwBkSGIRT5oVahwRAjxUAKCxQaGWwC4qL3gIaGce1nRQvWSa9QCfUK4d SH1rHPkM2eDZ17WX0yQ+epo= =squu -----END PGP SIGNATURE----- _______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde _______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde
