Comment by fulafel
15 hours ago
> delete your existing keys from OneDrive
This seems to go against principles of key management. If your key escrow peer has defected, the correct response is to rotate your keys.
15 hours ago
> delete your existing keys from OneDrive
This seems to go against principles of key management. If your key escrow peer has defected, the correct response is to rotate your keys.
Exactly. I question why the parent says you have to re-encrypt the drive.
Microsoft has the KEK or passphrase that can be used to derive the KEK. The KEK protects the DEK which is used to encrypt the data. Rotating the KEK (or KEKs if multiple slots are used) will overwrite the encrypted DEK, rendering the old KEK useless.
Or does BitLocker work differently than typical data at rest encryption?
BitLocker recovery keys are essentially the key to an at-rest, local copy of the real key. (I.e., they need access to the encrypted drive to get the real encryption key)
When you use a recovery key at preboot, it decrypts that on-disk backup copy of the encryption key with your numerical recovery key, and uses the decrypted form as the actual disk encryption key. Thus, you can delete & regenerate a recovery key, or even create several different recovery keys.