How is the decryption key of a bitlocker encrypted drive generated?
A laptop from a company is in a domain and gets Bitlocker encrypted. When the SSD of this laptop gets placed into another the drive is locked because the hardware changed. It asks for an unlock key by providing a Key ID.
Will this be the unlock key of the original laptop or the new laptop? If it is the original laptop does that mean the whole old laptop gets encrypted and its ID is stored on the SSD? If the SSD is placed in two different laptops will the decryption key still be the same?
2 Answers
How is the decryption key of a bitlocker encrypted drive generated?
The master key is randomly generated, and never shown to the user.
If you run manage-bde -status or manage-bde c: -protectors -get, you'll see that each disk can have multiple so-called "protectors", each of which holds its own copy of the disk's master key. In most cases, there are two:
- the first copy is sealed using the old laptop's TPM chip;
- the second copy is encrypted using a randomly-generated 48-digit "recovery password" that Windows usually asks to write down or print out.
Will this be the unlock key of the original laptop or the new laptop?
Neither. This is an alternate key stored within the BitLocker metadata itself – it is randomly generated and not related to the system's hardware in any way. (This is in fact the whole point of the recovery key – you can always use it no matter what hardware has changed.)
If it is the original laptop does that mean the whole old laptop gets encrypted and its ID is stored on the SSD?
The "key ID" is completely unrelated to the laptop nor the physical disk; it's just a completely random ID that acts like a "name" for the numeric unlock password / recovery key. (For example, if you manage a large office and have 100 recovery keys written down, the "key ID" lets you know what computer needs what key.)
If the SSD is placed in two different laptops will the decryption key still be the same?
Yes – the master key is always the same, and all non-hardware protectors (password, or .bek key on USB stick, or numeric recovery key) will be the same unless you deliberately change them.
However, BitLocker can only store one TPM protector, so you can only have automatic unlock happening on one laptop. Every time you move the disk to a new laptop, it will ask you for the recovery key first.
3You can decrypt the Bitlocker disk on the new computer exactly as on the old computer:
When inserting a BitLocker-encrypted drive to another Windows 10 computer, a message in the lower right corner of the desktop will say:
Click on this message for displaying the password dialog with it you can unlock the drive:
If you forgot/lost the password to unlock this drive, click "More options" followed by "Enter recovery key" and then enter the 48-digit recovery key to unlock this drive.
If you don't have any of the above two keys, the situation becomes complicated or impossible.
