Comment by fulafel
11 hours ago
> delete your existing keys from OneDrive
This seems to go against principles of key management. If your key escrow peer has defected, the correct response is to rotate your keys.
11 hours ago
> delete your existing keys from OneDrive
This seems to go against principles of key management. If your key escrow peer has defected, the correct response is to rotate your keys.
Exactly. I question why the parent says you have to re-encrypt the drive.
Microsoft has the KEK or passphrase that can be used to derive the KEK. The KEK protects the DEK which is used to encrypt the data. Rotating the KEK (or KEKs if multiple slots are used) will overwrite the encrypted DEK, rendering the old KEK useless.
Or does BitLocker work differently than typical data at rest encryption?