This is an RSA 2048 bit crypto operation performed by the TPM. When we talk about TPM as the sole protector, it uses the PCR 7 measurement to seal the key to TPM. There can be many types of protectors – TPM, TPM+PIN, TPM+StartupKey, TPM+PIN+StartupKey as required by the security sceanrio. The drive remains encrypted, but since the key protectors removed, VMK remains in clear text and for applications and services, the drives seems to be unencrypted. This is usually the case, when you disable or suspend bitlocker. If you do not have any key protectors, means the VMK is protected with a CLEAR KEY, means it resides on the encrypted volume as clear text and as such can be accessed easily. How is a protector different from a key? – Protectors are cryptographic keys which helps to protect the VMK. For example, bcrypt.dll being one of them.Ģ.
The FVEK and VMK are generated using the crypto components present in the Windows OS.
VMK is pre-defined 256 bit key and we cannot modify the key size. Generation of FVEK can be decided upon – 128 bit or 256 bit as well as the algo that will be used for the generation – AES-XTS or AES-CBC. By design VMK is the protector of FVEK, FVEK being the core key of Bitlocker. When we talk about Bitlocker and we say KEY, we generally mean the FVEK which is turn protected by the VMK. A protector is different from a key? – Yes, but at the end, both are cyrtographic keys only. Let me answer your questions in sequence.ġ.