How does Bitlocker Drive encryption work and which info are sent?



  • I'm looking forward to discovering more about the way in which USB devices encrypted with BitLocker are protected.

    If I insert a USB key encrypted with BitLocker on a different device, I can access the storage only if I have the recovery key, right?

    If the USB key has been encrypted with BitLocker in a device for which the user is not admin, can the admin find out when it is inserted into a different PC?



  • If I insert a USB key encrypted with BitLocker on a different device, I can access the storage only if I have the recovery key, right?

    That depends entirely on what key protectors are used on the flashdrive. A key protector is a bit of BitLocker metadata that provides a way to obtain the actual disk encryption key. Common key protectors are the recovery key, passwords (or PINs), a key file stored on another flashdrive, or (for boot volumes) a TPM.

    If a flashdrive is encrypted on a system that already uses BitLocker, and is set to automatically unlock on that system, a key protector is used where the host machine will store a secret on its (encrypted) drive. If that's the only key protector other than the recovery key (which is always created by default, although it can be removed), then the only way to unlock the flashdrive on another computer is to use the recovery key, yes. However, it's pretty common for an encrypted flashdrive to also have a password key protector; in that case, you can decrypt the drive on any machine so long as you know the password, which is much more memorable than the recovery key (it's also more at risk of brute-forcing, so BitLocker will attempt to delete this key protector after multiple failed guesses... though that only works if the real BitLocker driver is running, and is able to write to the flashdrive).

    Note also that the usual way to encrypt a flashdrive with BitLocker is a bit different from how BitLocker normally works. Since it's expected that a flashdrive might need to be used on machines that don't support BitLocker, the drive's main partition is shrunk slightly and a second partition is created. This second partition gets a small Windows executable that can read (though not write) BitLocker-encrypted partitions (such as the main partition of the flashdrive). For the main partition, I'm not sure if it works like a normal BitLocker volume (which contains some behavior that seems specific to NTFS) or if it works a bit differently, in some way potentially agnostic to the underlying FS.

    If the USB key has been encrypted with BitLocker in a device for which the user is not admin, can the admin find out when it is inserted into a different PC?

    No. Cryptography doesn't involve any sort of "phoning home" - it's just math - and there's no mechanism for BitLocker to even store a routable address to the machine where it was encrypted. Windows can, depending on configuration, automatically upload the recovery key when a drive is encrypted (either to Microsoft or to a domain controller), but as far as I know it won't automatically search for any such uploaded key - the location or even fact of the upload isn't part of the protector, so it wouldn't know where to search - and of course if the recovery key wasn't uploaded at all (or was only uploaded to a private network that the different PC isn't on, such as the controller of a corporate domain) then there wouldn't be anything to find (and thus no way to link the drive to its encrypter) anyhow.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2