BitLocker: Update Volume Master Key

TL;DR

BitLocker’s Volume Master Key (VMK) needs periodic updating for security. This guide explains how to do it, and the difference between ‘keyed’ and ‘re-keyed’ recovery options.

Understanding BitLocker Recovery Keys

When you enable BitLocker, a recovery key is generated. This key lets you unlock your drive if something goes wrong (forgotten password, corrupted system). There are two main ways BitLocker handles these keys:

• Keyed: The recovery key is stored alongside the encryption data on the volume. This is simpler but less secure.
• Re-keyed: A new recovery key is generated and stored, while the old one is discarded. This is more secure as it limits exposure if a key is compromised.

Updating your VMK often involves re-keying to improve security.

How to Update Your Volume Master Key

1. Open BitLocker Drive Encryption: Search for “Manage BitLocker” in the Windows search bar and open it.
2. Select the Drive: Find the drive you want to update (usually C:) and click “Change how the drive is unlocked”.
3. Backup Your Recovery Key: IMPORTANT! Before making any changes, ensure you have a backup of your current recovery key. You can save it to a file, print it, or store it in your Microsoft account. If you lose this key and BitLocker fails, you will lose access to the data on the drive.
4. Choose Recovery Method: In the ‘Change how you unlock this drive’ window, you’ll see options for recovery keys. You may be prompted to confirm existing settings or change them.
5. Run manage-bde: Open an elevated Command Prompt (search for “cmd”, right-click and select “Run as administrator”). Use the following command to update the VMK:

   manage-bde -upgrademvm C:

   Replace ‘C:’ with your drive letter.

6. Monitor Progress: The command will show progress. It may take a while, especially for large drives. Do not interrupt the process!
7. Verify Update (Optional): After completion, you can check BitLocker status using:

   manage-bde -status C:

   Look for information about the Volume Master Key and its protection level.

Keyed vs Re-keyed in Detail

• Keyed (Default): The recovery key is stored on the volume itself, protected by the encryption. If an attacker gains access to the encrypted volume, they *might* be able to extract the recovery key.
• Re-keyed: When you re-key, a new recovery key is generated and stored (e.g., in your Microsoft account or on a USB drive). The old key is discarded. This means even if an attacker gets hold of the old key, it’s no longer valid.

Recommendation: Always choose ‘Re-keyed’ when possible for improved security.

Troubleshooting

• Error Messages: If you encounter errors during the manage-bde command, check the error code and search online for solutions. Common issues include insufficient disk space or problems with the Trusted Platform Module (TPM).
• Slow Performance: Updating the VMK can be resource intensive. Ensure your computer has enough power and is not running other demanding tasks during the process.