Vista: Understanding the merit of VMK

I'm trying to understand the need for VMK. If a startup key is lost of
compromised, changing the VMK without also re-encrypting (i.e., changing the
FVEK) gives a false sense of security - I think.

In the Scenarios, User Experience, and Flow at
http://www.microsoft.com/whdc/system...ockerFlow.mspx
it states:

"The VMK directly protects the FVEK and therefore, protecting the VMK
becomes critical. This strategy of protecting the VMK indirectly protects the
encrypted volume and has the advantages that:
- The system can regenerate keys upstream in the chain if one or more of
these keys are lost or compromised.
- The recovery process can be done without decrypting and reencrypting the
entire volume, which is expensive in terms of the user’s time."

If I've lost my startup key, but I'm pretty sure no one's actually tried to
use it on my machine, then why not simply regenerate only the startup key?
If I think someone has used the key on my machine, then they have my VMK at
that moment, and if they have my VMK, they can retrieve my FVEK. So they
have my FVEK. Changing the VMK and Startup key won't lower my risk. I think
I'll have to re-encrypt...

For the first advantage, if for example I've lost my startup key on USB
flash, how do I tell BitLocker to generate a new, different startup key and
VMK without having to re-encrypt the whole drive? I tried disabling, then
re-enabling BitLocker under 5308, but it did not offer to place a different
startup key on my USB drive, nor save a new recovery key. When I went to
manage keys and request a copy of the startup key, I received the same key as
before.

As for the second advantage, why does the VMK provide an advantage? Is it
alone used to encrypt/decrypt some of the initial system files, which then
take over using the FVEK?? I'm just guessing at the reason...

In the BitLocker Technical Overview at
http://www.microsoft.com/whdc/system...rTechOver.mspx
it states that after disabling BitLocker for maintenance:
"When BitLocker is reenabled, the clear key is removed from the disk volume
and BitLocker protection is turned on again. Additionally, the VMK is rekeyed
and reencrypted."

I think I understand - when the clear key is deleted, along with its
blob(VMK), the VMK is regenerated in case anyone snagged the clear key, or if
forensic tools are used to retrieve the deleted clear key and blob from
disk???

Thanks!

The key chain is as follows:
(TPM + External Key) encrypts VMK encrypts FVEK encrypts bulk-data

Should the external key be lost or compromised (per your question below),
then the key protectors can be erased and a new external key created (via
manage-bde/WMI). This assumes of course that someone has not mated the
external key with your machine in the meantime. If they had, and the machine
was additionally protected by the TPM (in the TPM + External Key scenario)
they still would not get very far . So in short, use WMI/manage-bde key
protectors management functionality to address the lost keys scenario.

In theory, a system can be built where all keys encrypt FVEK directly.
However maintaining an intermediate key (VMK) is architecturally
particularly useful as it allows encrypted metadata to be consistent (uses
the VMK) and independent of the FVEK (which can vary in type).

From a pure cryptographic standpoint, the VMK can be considered equal to the
FVEK in it's criticality and function. However recycling the VMK becomes
more interesting when you start to forensically look at history of data
persistance on the disk.
-
Jamie Hunter [MS]

"tavis" <tavis@discussions.microsoft.com> wrote in message
news:F595C835-0870-4CB4-B786-23A290F1FE22@microsoft.com...
> I'm trying to understand the need for VMK. If a startup key is lost of
> compromised, changing the VMK without also re-encrypting (i.e., changing
> the
> FVEK) gives a false sense of security - I think.
>
> In the Scenarios, User Experience, and Flow at
> http://www.microsoft.com/whdc/system...ockerFlow.mspx
> it states:
>
> "The VMK directly protects the FVEK and therefore, protecting the VMK
> becomes critical. This strategy of protecting the VMK indirectly protects
> the
> encrypted volume and has the advantages that:
> - The system can regenerate keys upstream in the chain if one or more of
> these keys are lost or compromised.
> - The recovery process can be done without decrypting and reencrypting the
> entire volume, which is expensive in terms of the user’s time."
>
> If I've lost my startup key, but I'm pretty sure no one's actually tried
> to
> use it on my machine, then why not simply regenerate only the startup key?
> If I think someone has used the key on my machine, then they have my VMK
> at
> that moment, and if they have my VMK, they can retrieve my FVEK. So they
> have my FVEK. Changing the VMK and Startup key won't lower my risk. I
> think
> I'll have to re-encrypt...
>
> For the first advantage, if for example I've lost my startup key on USB
> flash, how do I tell BitLocker to generate a new, different startup key
> and
> VMK without having to re-encrypt the whole drive? I tried disabling, then
> re-enabling BitLocker under 5308, but it did not offer to place a
> different
> startup key on my USB drive, nor save a new recovery key. When I went to
> manage keys and request a copy of the startup key, I received the same key
> as
> before.
>
> As for the second advantage, why does the VMK provide an advantage? Is it
> alone used to encrypt/decrypt some of the initial system files, which then
> take over using the FVEK?? I'm just guessing at the reason...
>
> In the BitLocker Technical Overview at
> http://www.microsoft.com/whdc/system...rTechOver.mspx
> it states that after disabling BitLocker for maintenance:
> "When BitLocker is reenabled, the clear key is removed from the disk
> volume
> and BitLocker protection is turned on again. Additionally, the VMK is
> rekeyed
> and reencrypted."
>
> I think I understand - when the clear key is deleted, along with its
> blob(VMK), the VMK is regenerated in case anyone snagged the clear key, or
> if
> forensic tools are used to retrieve the deleted clear key and blob from
> disk???
>
> Thanks!
>