locked
How does Bitlocker erase the clear key on a SSD? RRS feed

  • Question

  • I'm using Bitlocker without TPM to encrypt my SSD (Windows 10) and I have a question about suspending Bitlocker.

    The BitLocker documentaton states:

    Disable keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk volume. By storing this key unencrypted, the disable option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire volume. Once the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, and the clear key is erased.


    My question is: Once the clear key is written unencrypted to a SSD, how is it erased after that?

    On a normal HDD I would assume that the sector containing the clear key is overwritten multiple times. But a SSD is allowed to map a "sector address" first to "flash cell X" and later to another "flash cell Y". So in this case the clear key would still be readable in "flash cell X". Or is there a way for the Operating System to enforce writing to a specific "sector address"?

    I also asked the same question here: https://superuser.com/questions/1245051/how-does-bitlocker-erase-the-clear-key-on-a-ssd

    Saturday, October 14, 2017 12:47 AM

All replies

  • Hi,

    The administrator may need to temporarily suspend BitLocker protection because a component specified in the Platform Vaildation Profile needs to be changed. The BitLocker Drive Encryption Control Panel applet provides a simple mechanism for suspending Bitlocker. When Bitlocker is suspended, the contents of the volume are still encrypted, but the volume master key is encrypted with a symmetric clear key, which is written to the volume’s BitLocker metadata. When a volume is mounted, BitLocker automatically looks for a clear key and will be able to decrypt the contents of the volume. When BitLocker protection on a volume is resumed, the clear key is removed from the metadata.

    BitLocker can be disabled without decrypting the data; in this case, the VMK (the volume master key) is protected only by a new key protector that is stored unencrypted. Note that this clear key allows the system to access the drive as if it were unprotected. It is possible that the VMK is stored unencrypted which is referred to as clear key.

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 16, 2017 6:48 AM
  • Haven't received your message a few days, was your issue resolved? 
    I am proposing previous helpful replies as "Answered". Please feel free to try it and let me know the result. If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.
    Best regards,
    Carl 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, October 22, 2017 11:40 AM
  • Carl, the question was "Once the clear key is written unencrypted to a SSD, how is it erased after that?"

    Did you answer that?

    Monday, October 23, 2017 7:20 AM
  • Hi,

    When a volume is mounted, BitLocker automatically looks for a clear key and will be able to decrypt the contents of the volume. When BitLocker protection on a volume is resumed, the clear key is removed from the metadata.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 23, 2017 1:43 PM
  • That's clear to everyone. The question is how does it erase the key?

    The author wonders if secure deletion is used or not.

    Monday, October 23, 2017 1:44 PM
  • I would also like the answer to this question. And not just related to SSD, but also regular HDD:s. This is VERY IMPORTANT question and needs to answered

    So, how is the clear key erased from the hdd after Bitlocker encryption is resumed? Is it and all of its copies overwritten or simply deleted? And if they are overwritten, with what and how many times they are overwritten (like 1 random pass, 3 random pass, 35x Gutmann wipe, etc.)?

    (As a side note: From what I read, the keys are stored in isolated location in the HDD, so that even if you wipe the free space on the hdd with a third party tool while Windows is running, those areas are NOT overwritten. In theory, if you wipe the free space on the hdd with third party tool outside Windows those areas might be overwritten, however, this is not sure: Apparently they are stored in NTFS data and any tool or third party program that writes to hdd has to obey NTFS rules so they might still not overwrite those areas. I dont know. Thats why we need an answer to this.)

    Monday, August 5, 2019 9:20 AM