How can Windows boot with Bitlocker after clearing the TPM?
After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.
When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.
So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.
I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.
But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.
To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?
Am I misunderstanding how Bitlocker and the TPM work together?
windows-10 boot encryption bitlocker tpm
|
show 5 more comments
After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.
When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.
So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.
I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.
But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.
To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?
Am I misunderstanding how Bitlocker and the TPM work together?
windows-10 boot encryption bitlocker tpm
1
Sounds like BitLocker is currently suspended. Can you verify if that is the case?
– Ramhound
Jan 9 at 20:09
It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?
– mimipc
Jan 9 at 20:10
"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the-tpmandpinandstartupkey
parameter.
– Pimp Juice IT
Jan 9 at 20:12
Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb
– mimipc
Jan 9 at 20:15
1
@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.
– Ramhound
Jan 9 at 20:19
|
show 5 more comments
After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.
When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.
So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.
I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.
But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.
To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?
Am I misunderstanding how Bitlocker and the TPM work together?
windows-10 boot encryption bitlocker tpm
After installing Windows, I turned on Bitlocker for a full C: drive encryption. I saved the recovery keys and then let Bitlocker proceed with encrypting the full drive.
When I rebooted, I was surprised that the system booted completely fine without prompting for a pin. I guess Bitlocker is asking the TPM (AMD fTPM) for keys to decrypt the drive, tell me if I'm wrong.
So I tried to make the TPM require a pin before giving away all his little secrets. I found how to change the "Local Computer Policy" and configured the "Require additional authentication at startup" settings, requiring a pin.
I then proceeded to set a pin for my C: drive, which went perfectly fine. I rebooted and was prompted for a pin, which I thought was the end of the story.
But I wanted to test clearing the TPM to be sure that it was the component storing the keys (I have the Bitlocker recovery key, so that shouldn't be a problem). I cleared the TPM using the windows TPM GUI.
To my big surprise, when I rebooted Windows, I wasn't prompted for a pin, NOR A RECOVERY KEY! The system booted perfectly fine, but Bitlocker was in a suspended state! How is this possible after clearing the TPM? The keys should be gone forever! Have them been copied to a readable zone on my disk?
Am I misunderstanding how Bitlocker and the TPM work together?
windows-10 boot encryption bitlocker tpm
windows-10 boot encryption bitlocker tpm
edited Jan 9 at 20:21
mimipc
asked Jan 9 at 19:05
mimipcmimipc
1112
1112
1
Sounds like BitLocker is currently suspended. Can you verify if that is the case?
– Ramhound
Jan 9 at 20:09
It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?
– mimipc
Jan 9 at 20:10
"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the-tpmandpinandstartupkey
parameter.
– Pimp Juice IT
Jan 9 at 20:12
Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb
– mimipc
Jan 9 at 20:15
1
@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.
– Ramhound
Jan 9 at 20:19
|
show 5 more comments
1
Sounds like BitLocker is currently suspended. Can you verify if that is the case?
– Ramhound
Jan 9 at 20:09
It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?
– mimipc
Jan 9 at 20:10
"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the-tpmandpinandstartupkey
parameter.
– Pimp Juice IT
Jan 9 at 20:12
Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb
– mimipc
Jan 9 at 20:15
1
@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.
– Ramhound
Jan 9 at 20:19
1
1
Sounds like BitLocker is currently suspended. Can you verify if that is the case?
– Ramhound
Jan 9 at 20:09
Sounds like BitLocker is currently suspended. Can you verify if that is the case?
– Ramhound
Jan 9 at 20:09
It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?
– mimipc
Jan 9 at 20:10
It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?
– mimipc
Jan 9 at 20:10
"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the
-tpmandpinandstartupkey
parameter.– Pimp Juice IT
Jan 9 at 20:12
"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the
-tpmandpinandstartupkey
parameter.– Pimp Juice IT
Jan 9 at 20:12
Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb
– mimipc
Jan 9 at 20:15
Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb
– mimipc
Jan 9 at 20:15
1
1
@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.
– Ramhound
Jan 9 at 20:19
@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.
– Ramhound
Jan 9 at 20:19
|
show 5 more comments
1 Answer
1
active
oldest
votes
Self-answering my question thanks to Ramhound's help.
When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.
The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :
- https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/
- http://jessekornblum.com/publications/di09.pdf
1
This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.
– Wes Sayeed
Jan 9 at 21:25
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392412%2fhow-can-windows-boot-with-bitlocker-after-clearing-the-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Self-answering my question thanks to Ramhound's help.
When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.
The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :
- https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/
- http://jessekornblum.com/publications/di09.pdf
1
This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.
– Wes Sayeed
Jan 9 at 21:25
add a comment |
Self-answering my question thanks to Ramhound's help.
When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.
The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :
- https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/
- http://jessekornblum.com/publications/di09.pdf
1
This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.
– Wes Sayeed
Jan 9 at 21:25
add a comment |
Self-answering my question thanks to Ramhound's help.
When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.
The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :
- https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/
- http://jessekornblum.com/publications/di09.pdf
Self-answering my question thanks to Ramhound's help.
When clearing the TPM, Windows automatically switches to Bitlocker's suspended mode. This mode keeps the volume key on a non-encrypted sector of the drive. When the system reboots, it uses the clear key to read the volume and takes back the ownership of the TPM, which disables suspended mode.
The following links give information on how the clear key is stored and how forensics could help reading the volume if it has been placed in suspended mode :
- https://www.reddit.com/r/AskNetsec/comments/8qvwvv/when_suspending_bitlocker_protection_where_is_the/
- http://jessekornblum.com/publications/di09.pdf
answered Jan 9 at 20:48
mimipcmimipc
1112
1112
1
This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.
– Wes Sayeed
Jan 9 at 21:25
add a comment |
1
This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.
– Wes Sayeed
Jan 9 at 21:25
1
1
This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.
– Wes Sayeed
Jan 9 at 21:25
This is indeed correct. If you had cleared the TPM from the firmware, you would've been challenged for the recovery key. Windows is just making things convenient for you by suspending protection first, then re-enabling it after a reboot, when it can re-save the keys back to the TPM.
– Wes Sayeed
Jan 9 at 21:25
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392412%2fhow-can-windows-boot-with-bitlocker-after-clearing-the-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Sounds like BitLocker is currently suspended. Can you verify if that is the case?
– Ramhound
Jan 9 at 20:09
It is, what does it mean? It entered a suspended state when I cleared the TPM to avoid being locked out?
– mimipc
Jan 9 at 20:10
"Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted". You might look over manage-bde: protectors and read about and test with the
-tpmandpinandstartupkey
parameter.– Pimp Juice IT
Jan 9 at 20:12
Ok, so now I guess the keys have been written to a non-encrypted disk partition. What a nice feature for someone wanting to read all the data! This is dumb
– mimipc
Jan 9 at 20:15
1
@mimipc - When you resumed BitLocker, the data you were worried about was deleted, since it was written to an encrypted data you have nothing to worry about. However, as currently written your question does not contain the fact BitLocker was in a suspended state, so this question cannot be answered in its current state. Suspending BitLocker is how you would update the TPM firmware, so the fact BitLocker was suspended does not increase/decrease your security situation. It is a necssary state in some maintenance actions.
– Ramhound
Jan 9 at 20:19