How can Windows boot with Bitlocker after clearing the TPM?












2















After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.



When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.



So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.



I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.



But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.



To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?



Am I misunderstanding how Bitlocker and the TPM work together?






windows-10 boot encryption bitlocker tpm







share|improve this question




















  • 1





    Sounds like BitLocker is currently suspended. Can you verify if that is the case?

    – Ramhound
    Jan 9 at 20:09











  • It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?

    – mimipc
    Jan 9 at 20:10













  • "Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the -tpmandpinandstartupkey parameter.

    – Pimp Juice IT
    Jan 9 at 20:12













  • Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb

    – mimipc
    Jan 9 at 20:15






  • 1





    @mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.

    – Ramhound
    Jan 9 at 20:19


















2















After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.



When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.



So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.



I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.



But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.



To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?



Am I misunderstanding how Bitlocker and the TPM work together?






windows-10 boot encryption bitlocker tpm







share|improve this question




















  • 1





    Sounds like BitLocker is currently suspended. Can you verify if that is the case?

    – Ramhound
    Jan 9 at 20:09











  • It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?

    – mimipc
    Jan 9 at 20:10













  • "Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the -tpmandpinandstartupkey parameter.

    – Pimp Juice IT
    Jan 9 at 20:12













  • Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb

    – mimipc
    Jan 9 at 20:15






  • 1





    @mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.

    – Ramhound
    Jan 9 at 20:19
















2












2








2








After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.



When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.



So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.



I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.



But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.



To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?



Am I misunderstanding how Bitlocker and the TPM work together?






windows-10 boot encryption bitlocker tpm







share|improve this question
















After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.



When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.



So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.



I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.



But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.



To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?



Am I misunderstanding how Bitlocker and the TPM work together?






windows-10 boot encryption bitlocker tpm




windows-10 boot encryption bitlocker tpm






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 9 at 20:21







mimipc

















asked Jan 9 at 19:05









mimipcmimipc

1112




1112








  • 1





    Sounds like BitLocker is currently suspended. Can you verify if that is the case?

    – Ramhound
    Jan 9 at 20:09











  • It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?

    – mimipc
    Jan 9 at 20:10













  • "Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the -tpmandpinandstartupkey parameter.

    – Pimp Juice IT
    Jan 9 at 20:12













  • Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb

    – mimipc
    Jan 9 at 20:15






  • 1





    @mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.

    – Ramhound
    Jan 9 at 20:19
















  • 1





    Sounds like BitLocker is currently suspended. Can you verify if that is the case?

    – Ramhound
    Jan 9 at 20:09











  • It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?

    – mimipc
    Jan 9 at 20:10













  • "Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the -tpmandpinandstartupkey parameter.

    – Pimp Juice IT
    Jan 9 at 20:12













  • Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb

    – mimipc
    Jan 9 at 20:15






  • 1





    @mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.

    – Ramhound
    Jan 9 at 20:19










1




1





Sounds like BitLocker is currently suspended. Can you verify if that is the case?

– Ramhound
Jan 9 at 20:09





Sounds like BitLocker is currently suspended. Can you verify if that is the case?

– Ramhound
Jan 9 at 20:09













It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?

– mimipc
Jan 9 at 20:10







It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?

– mimipc
Jan 9 at 20:10















"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the -tpmandpinandstartupkey parameter.

– Pimp Juice IT
Jan 9 at 20:12







"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the -tpmandpinandstartupkey parameter.

– Pimp Juice IT
Jan 9 at 20:12















Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb

– mimipc
Jan 9 at 20:15





Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb

– mimipc
Jan 9 at 20:15




1




1





@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.

– Ramhound
Jan 9 at 20:19







@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.

– Ramhound
Jan 9 at 20:19












1 Answer
1






active

oldest

votes


















0














Self-answering my question thanks to Ramhound's help.



When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.



The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :




  • https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/

  • http://jessekornblum.com/publications/di09.pdf






share|improve this answer



















  • 1





    This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.

    – Wes Sayeed
    Jan 9 at 21:25











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392412%2fhow-can-windows-boot-with-bitlocker-after-clearing-the-tpm%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Self-answering my question thanks to Ramhound's help.



When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.



The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :




  • https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/

  • http://jessekornblum.com/publications/di09.pdf






share|improve this answer



















  • 1





    This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.

    – Wes Sayeed
    Jan 9 at 21:25
















0














Self-answering my question thanks to Ramhound's help.



When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.



The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :




  • https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/

  • http://jessekornblum.com/publications/di09.pdf






share|improve this answer



















  • 1





    This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.

    – Wes Sayeed
    Jan 9 at 21:25














0












0








0







Self-answering my question thanks to Ramhound's help.



When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.



The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :




  • https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/

  • http://jessekornblum.com/publications/di09.pdf






share|improve this answer













Self-answering my question thanks to Ramhound's help.



When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.



The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :




  • https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/

  • http://jessekornblum.com/publications/di09.pdf







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 9 at 20:48









mimipcmimipc

1112




1112








  • 1





    This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.

    – Wes Sayeed
    Jan 9 at 21:25














  • 1





    This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.

    – Wes Sayeed
    Jan 9 at 21:25








1




1





This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.

– Wes Sayeed
Jan 9 at 21:25





This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.

– Wes Sayeed
Jan 9 at 21:25


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392412%2fhow-can-windows-boot-with-bitlocker-after-clearing-the-tpm%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

If I really need a card on my start hand, how many mulligans make sense? [duplicate]

Image
5 This question already has an answer here: How do you calculate the likelihood of drawing certain cards in your opening hand? 3 answers There is a funny modern deck where you play Treasure Hunt, but you really need to have it on the starting hand. How many mulligans should I take, if my deck contains 60 cards and contains 4 copies of Treasure Hunt? magic-the-gathering probability share | improve this question asked Nov 23 '18 at 12:12 dan dan 152 4
Read more

Alcedinidae

Image
Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
Read more

Can an atomic nucleus contain both particles and antiparticles? [duplicate]

Image
9 $begingroup$ This question already has an answer here: What happens if we put together a proton and an antineutron? 2 answers Is it theoretically possible to make a "deuterium" atom containing a proton and an antineutron in its nucleus? Would the strong nuclear force cause attraction between a proton and an antineutron? Would such a nucleus be stable, or would the proton somehow annihilate the antineutron when close enough? nuclear-physics antimatter share | cite | improve this question asked yesterday
Read more