TL;DR
BitLocker’s Volume Master Key (VMK) needs periodic updating for security. This guide explains how to do it, and the difference between ‘keyed’ and ‘re-keyed’ recovery options.
Understanding BitLocker Recovery Keys
When you enable BitLocker, a recovery key is generated. This key lets you unlock your drive if something goes wrong (forgotten password, corrupted system). There are two main ways BitLocker handles these keys:
- Keyed: The recovery key is stored alongside the encryption data on the volume. This is simpler but less secure.
- Re-keyed: A new recovery key is generated and stored, while the old one is discarded. This is more secure as it limits exposure if a key is compromised.
Updating your VMK often involves re-keying to improve security.
How to Update Your Volume Master Key
- Open BitLocker Drive Encryption: Search for “Manage BitLocker” in the Windows search bar and open it.
- Select the Drive: Find the drive you want to update (usually C:) and click “Change how the drive is unlocked”.
- Backup Your Recovery Key: IMPORTANT! Before making any changes, ensure you have a backup of your current recovery key. You can save it to a file, print it, or store it in your Microsoft account. If you lose this key and BitLocker fails, you will lose access to the data on the drive.
- Choose Recovery Method: In the ‘Change how you unlock this drive’ window, you’ll see options for recovery keys. You may be prompted to confirm existing settings or change them.
- Run manage-bde: Open an elevated Command Prompt (search for “cmd”, right-click and select “Run as administrator”). Use the following command to update the VMK:
manage-bde -upgrademvm C:Replace ‘C:’ with your drive letter.
- Monitor Progress: The command will show progress. It may take a while, especially for large drives. Do not interrupt the process!
- Verify Update (Optional): After completion, you can check BitLocker status using:
manage-bde -status C:Look for information about the Volume Master Key and its protection level.
Keyed vs Re-keyed in Detail
- Keyed (Default): The recovery key is stored on the volume itself, protected by the encryption. If an attacker gains access to the encrypted volume, they *might* be able to extract the recovery key.
- Re-keyed: When you re-key, a new recovery key is generated and stored (e.g., in your Microsoft account or on a USB drive). The old key is discarded. This means even if an attacker gets hold of the old key, it’s no longer valid.
Recommendation: Always choose ‘Re-keyed’ when possible for improved security.
Troubleshooting
- Error Messages: If you encounter errors during the manage-bde command, check the error code and search online for solutions. Common issues include insufficient disk space or problems with the Trusted Platform Module (TPM).
- Slow Performance: Updating the VMK can be resource intensive. Ensure your computer has enough power and is not running other demanding tasks during the process.