Bitlocker - 2 questions (Multiple active keys / Modes of operations


  • Hey everyone,

    I'm doing research about the difference between Bitlocker Drive Encryption and McAfee Endpoint Encryption. I've been using wikipedia wiki Comparison_of_disk_encryption_software (sorry can't post a link apparently) as a starting place, but I need solid sources instead of believing everyhting on Wikipedia.

    I found most by myself, but 2 things are not clear for me:

    1. Multiple keys: Whether an encrypted volume can have more than one active key. I can't find if that's the case or not, the reference on Wikipedia doesn't seem to work anymore. This doesn't mean multiple factor authentication (i.e. TPM + PIN), but can there be 2 PIN's that can decrypt 1 volume.

    2. Modes of operation: On Wikipedia there is a reference to a document that dates back to 2006, is this still the case today or did something changed in Bitlocker? If so, that answers 2 of the modes, but can someone shine some light for the last three: CBC with random per sector keys, LRW and XTS.

    Help will be very appreciated.

    Kind regards,

    - Jimmy

    • Edited by JimmyB1991 Tuesday, March 25, 2014 8:49 AM Little more info
    Tuesday, March 25, 2014 8:47 AM


All replies

  • Hi,

    For question one:

    BitLocker supports four different authentication modes, depending on the computer's hardware capabilities and the desired level of security:

    • BitLocker with a TPM

    • BitLocker with a TPM and a PIN

    • BitLocker with a TPM and a USB startup key

    • BitLocker without a TPM (USB startup key required)

    If you mean recovery methods, there are three methods for recovery:

    BitLocker recovery methods

    For question two:

    The basic technology still works for BitLocker, but you can get the new features in Windows 8.1:

    What's New in BitLocker for Windows 8 and Windows Server 2012

    About BitLocker architecture, refer to this article:

    BitLocker Architecture

    Regarding the algorithm, BitLocker uses  AES-CBC + diffuser algorithm to encrypt, you can get more information in this document:

    AES-CBC + Elephant diffuser

    Alex Zhao
    TechNet Community Support

    • Marked as answer by JimmyB1991 Friday, March 28, 2014 10:00 AM
    Tuesday, March 25, 2014 9:56 AM
  • Thanks for the quick reply, question 2 is answered. But question 1 is not, I mean is it possible to have for example 2 different PIN's to decrypt the same volume. So 2 active PIN's for 1 volume.

    About the second question, I read somewhere that the Elephant Diffuser is not present anymore within Bitlocker for Windows 8 and Windows Server 2012, is this true?

    Thanks! :)

    • Edited by JimmyB1991 Tuesday, March 25, 2014 10:44 AM Extra
    Tuesday, March 25, 2014 10:04 AM
  • Hi,

    Yes, in windows 8 and Windows server 2012, the Diffuser option is no longer available to be added to the Advanced Encryption Standard (AES) encryption algorithm.

    The "Configure TPM validation profile" Group Policy setting is deprecated in Windows 8 and Windows Server 2012. It has been replaced with system specific policies for BIOS-based and UEFI-based computers.

    The –tpm option is no longer supported by manage-bde.

    But I don’t hear the 2 different PINs to decrypt the same encrypted disk.

    Alex Zhao
    TechNet Community Support

    Wednesday, March 26, 2014 2:57 AM
  • Well I try to explain:

    We now have Endpoint Encryption en there are safenet users in a database that synchronizes with all the clients (laptops). All laptop hard disks are encrypted with this software.

    User A with his Laptop A can enter his password and then it will decrypt the laptop and boot it. If User B enters his password on Laptop A he can still decrypt the hard drive and let it boot, because that user is in the database.

    So is it possible with bitlocker to decrypt Laptop A with User A AND User B's PIN? Hope it's clear now :)


    Wednesday, March 26, 2014 1:08 PM
  • Hi,

    There is no such feature in BitLocker.

    Alex Zhao
    TechNet Community Support

    Thursday, March 27, 2014 2:03 AM
  • Thanks for clearing that up Alex. Apparently the Wikipedia comparison isn't correct on that. So it's not possible to share one laptop with multiple users unless they all know the same PIN for decrypting the volume/disk?

    I'm only not sure about the modes of operation of Bitlocker. In the document 'AES-CBC + Elephant diffuser' I found out that LRW is not used because of multiple reasons. XTS is not mentioned, so I assume it's also not used.

    About CBC I'm not entirely sure what Bitlocker uses exactly. I'm comparing these three:

    • CBC with predictable IV
    • CBC with secret IV
    • CBC with random per-sector keys

    In the document it looks like it's using CBC with a secret IV, but it also looks like Bitlocker uses random per-sector keys. Can you maybe explain to me what's used within Bitlocker? After that I won't bother you again haha.

    Again thank you for answering my other questions already, I really appreciate it. :)

    - Jimmy

    Thursday, March 27, 2014 8:11 AM
  • Hi,

    Sorry, I have no additional document about this information, but the different with previous versions is located in group policy:

    Computer Configuration-> Administrative Templates-> Windows Components-> BitLocker Drive Encryption

    There should be two kind of policies of Choose drive encryption method and cipher strength, the Windows 8 and 8.1 have two choices: AES 128-bit and AES 256-bit.

    Alex Zhao
    TechNet Community Support

    Friday, March 28, 2014 6:03 AM
  • Do you know someone I can contact for this information or is this not possible?
    Monday, March 31, 2014 12:26 PM
  • Someone? ^^

    I think it's CBC with a secret IV, but I need someone who can verify this.

    Wednesday, May 14, 2014 7:03 AM