Does changing the encryption password imply rewriting all the data?











up vote
7
down vote

favorite
1












Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.



Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?






windows encryption bitlocker disk-encryption







share|improve this question




























    up vote
    7
    down vote

    favorite
    1












    Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.



    Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?






    windows encryption bitlocker disk-encryption







    share|improve this question


























      up vote
      7
      down vote

      favorite
      1









      up vote
      7
      down vote

      favorite
      1






      1





      Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.



      Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?






      windows encryption bitlocker disk-encryption







      share|improve this question















      Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.



      Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?






      windows encryption bitlocker disk-encryption




      windows encryption bitlocker disk-encryption






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 10 hours ago









      Twisty Impersonator

      16.9k126091




      16.9k126091










      asked 13 hours ago









      Basj

      445323




      445323






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          18
          down vote



          accepted










          No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.



          (This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)






          share|improve this answer























          • Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
            – Basj
            13 hours ago








          • 1




            I don't have any useful links at hand, but see Twisty's answer regarding that.
            – grawity
            9 hours ago


















          up vote
          14
          down vote













          Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.



          For example, here's how BitLocker implements this (it actually uses three "layers" of keys):




          1. Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.

          2. The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.

          3. The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.


          The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:



          Scheme of disk decryption



          More information about this process can be found on TechNet.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377595%2fdoes-changing-the-encryption-password-imply-rewriting-all-the-data%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            18
            down vote



            accepted










            No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.



            (This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)






            share|improve this answer























            • Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
              – Basj
              13 hours ago








            • 1




              I don't have any useful links at hand, but see Twisty's answer regarding that.
              – grawity
              9 hours ago















            up vote
            18
            down vote



            accepted










            No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.



            (This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)






            share|improve this answer























            • Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
              – Basj
              13 hours ago








            • 1




              I don't have any useful links at hand, but see Twisty's answer regarding that.
              – grawity
              9 hours ago













            up vote
            18
            down vote



            accepted







            up vote
            18
            down vote



            accepted






            No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.



            (This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)






            share|improve this answer














            No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.



            (This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 12 hours ago

























            answered 13 hours ago









            grawity

            228k35477540




            228k35477540












            • Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
              – Basj
              13 hours ago








            • 1




              I don't have any useful links at hand, but see Twisty's answer regarding that.
              – grawity
              9 hours ago


















            • Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
              – Basj
              13 hours ago








            • 1




              I don't have any useful links at hand, but see Twisty's answer regarding that.
              – grawity
              9 hours ago
















            Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
            – Basj
            13 hours ago






            Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
            – Basj
            13 hours ago






            1




            1




            I don't have any useful links at hand, but see Twisty's answer regarding that.
            – grawity
            9 hours ago




            I don't have any useful links at hand, but see Twisty's answer regarding that.
            – grawity
            9 hours ago












            up vote
            14
            down vote













            Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.



            For example, here's how BitLocker implements this (it actually uses three "layers" of keys):




            1. Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.

            2. The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.

            3. The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.


            The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:



            Scheme of disk decryption



            More information about this process can be found on TechNet.






            share|improve this answer



























              up vote
              14
              down vote













              Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.



              For example, here's how BitLocker implements this (it actually uses three "layers" of keys):




              1. Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.

              2. The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.

              3. The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.


              The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:



              Scheme of disk decryption



              More information about this process can be found on TechNet.






              share|improve this answer

























                up vote
                14
                down vote










                up vote
                14
                down vote









                Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.



                For example, here's how BitLocker implements this (it actually uses three "layers" of keys):




                1. Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.

                2. The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.

                3. The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.


                The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:



                Scheme of disk decryption



                More information about this process can be found on TechNet.






                share|improve this answer














                Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.



                For example, here's how BitLocker implements this (it actually uses three "layers" of keys):




                1. Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.

                2. The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.

                3. The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.


                The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:



                Scheme of disk decryption



                More information about this process can be found on TechNet.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 hours ago

























                answered 11 hours ago









                Twisty Impersonator

                16.9k126091




                16.9k126091






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377595%2fdoes-changing-the-encryption-password-imply-rewriting-all-the-data%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Create new schema in PostgreSQL using DBeaver

                    Image
                    0 At the beginning of my current job I had limited access to DB but recently my role is changed to superuser, admin, and owner. My colleague who was the previous DB admin is able to create a schema or change the permissions as there is a permission tab in the properties and he can change permissions by clicking easily. Would you please let me know how I can create schema and change permissions as well? Why his dbeaver looks different from me? He can easily right click on the schema folder on top of all schemas on the left side column and select create new schema while I do not have that, like the following picture I found on the internet. postgresql database-schema dbeaver share | improve this question
                    Read more

                    Deepest pit of an array with Javascript: test on Codility

                    Image
                    0 $begingroup$ This is the question from a Codility test, as a task in an interview: DeepestPit - problem description A non-empty zero-indexed array A consisting of N integers is given. A pit in this array is any triplet of integers (P, Q, R) such that: ·         0 ≤ P < Q < R < N; ·         sequence [A[P], A[P+1], ..., A[Q]] is strictly decreasing, i.e. A[P] > A[P+1] > ... > A[Q]; ·         sequence A[Q], A[Q+1], ..., A[R] is strictly increasing, i.e. A[Q] < A[Q+1] < ... < A[R]. The depth of a pit (P, Q, R) is the number min {A[P] − A[Q], A[R] − A[Q]}. For example, consider array A consisting of 10 elements such that: A[0] = 0 A[1] = 1 A[2] = 3 A[3] = -2 A[4] = 0 A[5] = 1 A[6] = 0 A[7] = -3 A[8] = 2 A[9] = 3 Triplet (2, 3, 4) is
                    Read more

                    Costa Masnaga

                    Image
                    .mw-parser-output .avviso .mbox-text-div>div,.mw-parser-output .avviso .mbox-text-full-div>div{font-size:90%}.mw-parser-output .avviso .mbox-image div{width:52px}.mw-parser-output .avviso .mbox-text-full-div .hide-when-compact{display:block} Questa voce o sezione sull'argomento Lombardia non cita le fonti necessarie o quelle presenti sono insufficienti . Puoi migliorare questa voce aggiungendo citazioni da fonti attendibili secondo le linee guida sull'uso delle fonti. Segui i suggerimenti del progetto di riferimento. Costa Masnaga comune Localizzazione Stato   Italia Regione Lombardia Provincia Lecco Amministrazione Sindaco Sabina Panzeri (Al centro il cittadino) dall'08/06/2009 Territorio Coordinate 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Coordinate: 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Altitudine 318 m s.l.m
                    Read more