Does changing the encryption password imply rewriting all the data?
up vote
7
down vote
favorite
Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.
Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?
windows encryption bitlocker disk-encryption
edited 10 hours ago
Twisty Impersonator
16.9k126091
asked 13 hours ago
Basj
445323
add a comment |
up vote
7
down vote
favorite
Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.
Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?
windows encryption bitlocker disk-encryption
edited 10 hours ago
Twisty Impersonator
16.9k126091
asked 13 hours ago
Basj
445323
add a comment |
up vote
7
down vote
favorite
up vote
7
down vote
favorite
Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.
Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?
windows encryption bitlocker disk-encryption
edited 10 hours ago
Twisty Impersonator
16.9k126091
asked 13 hours ago
Basj
445323
Let's say I have 1 TB of data on a partition encrypted with BitLocker, TrueCrypt or VeraCrypt.
Does changing the encryption password imply rewriting all the data (i.e. it will take hours/days)?
windows encryption bitlocker disk-encryption
windows encryption bitlocker disk-encryption
edited 10 hours ago
Twisty Impersonator
16.9k126091
asked 13 hours ago
Basj
445323
edited 10 hours ago
Twisty Impersonator
16.9k126091
asked 13 hours ago
Basj
445323
edited 10 hours ago
Twisty Impersonator
16.9k126091
edited 10 hours ago
Twisty Impersonator
16.9k126091
edited 10 hours ago
Twisty Impersonator
16.9k126091
16.9k126091
asked 13 hours ago
Basj
445323
asked 13 hours ago
Basj
445323
asked 13 hours ago
Basj
445323
445323
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
18
down vote
accepted
No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.
(This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)
answered 13 hours ago
grawity
228k35477540
Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
– Basj
13 hours ago
1
I don't have any useful links at hand, but see Twisty's answer regarding that.
– grawity
9 hours ago
add a comment |
up vote
14
down vote
Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.
For example, here's how BitLocker implements this (it actually uses three "layers" of keys):
- Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.
- The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.
- The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.
The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:
More information about this process can be found on TechNet.
answered 11 hours ago
Twisty Impersonator
16.9k126091
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
18
down vote
accepted
No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.
(This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)
answered 13 hours ago
grawity
228k35477540
Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
– Basj
13 hours ago
1
I don't have any useful links at hand, but see Twisty's answer regarding that.
– grawity
9 hours ago
add a comment |
up vote
18
down vote
accepted
No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.
(This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)
answered 13 hours ago
grawity
228k35477540
Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
– Basj
13 hours ago
1
I don't have any useful links at hand, but see Twisty's answer regarding that.
– grawity
9 hours ago
add a comment |
up vote
18
down vote
accepted
up vote
18
down vote
accepted
No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.
(This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)
answered 13 hours ago
grawity
228k35477540
No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.
(This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk.)
answered 13 hours ago
grawity
228k35477540
edited 12 hours ago
answered 13 hours ago
grawity
228k35477540
answered 13 hours ago
grawity
228k35477540
answered 13 hours ago
grawity
228k35477540
228k35477540
Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
– Basj
13 hours ago
1
I don't have any useful links at hand, but see Twisty's answer regarding that.
– grawity
9 hours ago
add a comment |
Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
– Basj
13 hours ago
1
I don't have any useful links at hand, but see Twisty's answer regarding that.
– grawity
9 hours ago
Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
– Basj
13 hours ago
Thank you very much! Would you have a link with details about that? Is the master key saved (encrypted by password) at the beginning (very first bytes) of the partition?
– Basj
13 hours ago
1
1
I don't have any useful links at hand, but see Twisty's answer regarding that.
– grawity
9 hours ago
I don't have any useful links at hand, but see Twisty's answer regarding that.
– grawity
9 hours ago
add a comment |
up vote
14
down vote
Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.
For example, here's how BitLocker implements this (it actually uses three "layers" of keys):
- Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.
- The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.
- The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.
The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:
More information about this process can be found on TechNet.
answered 11 hours ago
Twisty Impersonator
16.9k126091
add a comment |
up vote
14
down vote
Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.
For example, here's how BitLocker implements this (it actually uses three "layers" of keys):
- Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.
- The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.
- The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.
The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:
More information about this process can be found on TechNet.
answered 11 hours ago
Twisty Impersonator
16.9k126091
add a comment |
up vote
14
down vote
up vote
14
down vote
Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.
For example, here's how BitLocker implements this (it actually uses three "layers" of keys):
- Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.
- The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.
- The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.
The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:
More information about this process can be found on TechNet.
answered 11 hours ago
Twisty Impersonator
16.9k126091
Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.
For example, here's how BitLocker implements this (it actually uses three "layers" of keys):
- Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.
- The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.
- The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.
The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:
More information about this process can be found on TechNet.
answered 11 hours ago
Twisty Impersonator
16.9k126091
edited 2 hours ago
answered 11 hours ago
Twisty Impersonator
16.9k126091
answered 11 hours ago
Twisty Impersonator
16.9k126091
answered 11 hours ago
Twisty Impersonator
16.9k126091
16.9k126091
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377595%2fdoes-changing-the-encryption-password-imply-rewriting-all-the-data%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
