Suspending Win7 BitLocker?


I honestly hate confusions especially in cases they could be easily avoided with clear descriptions targeting non scientifically thinking human beings. Take for example BitLocker – you noted in my last post I warned you to suspend BitLocker while dealing with bcdedit. So the question is what exactly means suspending BitLocker? Let me try to clarify this at my own, even risking being too simplistic. So the talk is about this:

The prerequisite understanding BitLocker and it’s suspension is to be familiar with the concepts of symmetric and asymmetric encryption keys. Even if you are not, I will help you to catch-up. So whenever you want to prevent someone reading your data, you could encrypt those data either with a symmetric key or with an asymmetric key. The issue is that asymmetric encryption (compared to symmetric encryption) is very slow, meaning not only 2 or 5 times slower, but rather on a magnitude scale, hundreds and thousands time slower than symmetric encryption. Therefore large quantities of data are usually encrypted via a symmetric key, like BitLocker also does.

While turning on BitLocker, the system will generate a symmetric key (AES) which is protected using another asymmetric key. Both symmetric and asymmetric keys are stored either on the integrated TPM microchip (Trusted Platform Module) within your computer or on a separate user provided USB. Encrypting the drive takes hours (remember, how long it would take to encrypt it via an asymmetric key – days?, weeks?).

So, while suspending BitLocker essentially the drive will be not decrypted (this operation would take hours again), but rather the symmetric encryption key will be revealed and written in clear text to the hard drive. This is not the sole action which happens. Additionally the hidden 100MB system partition’s integrity check is also turned off. Confused? Let me explain:

Perhaps you already noted, that installing Windows 7 (on a previously not prepared volume) will create next to the visible system drive (C:), an additional 100 MB hidden drive like depicted below. This hidden drive is only needed for BitLocker purposes. So yes, without BitLocker Windows 7 could be installed also on a sole prepared system drive. However with BitLocker turned on,  the system will desperately need also some unencrypted data, which are written to this hidden drive.

The unencrypted information consist of metadata about the number and locations of your system’s bootable partitions. Rephrasing this, the metadata on that hidden drive consist of the Windows Boot Manager’s data which is an evidence about all Windows Boot Loaders. As we learned earlier, these metadata could be edited using bcdedit. Each bootable/deployed OS will load via it’s own Windows Boot Loader. Therefore we do have a single Windows Boot Manager and as many Boot Loaders as many entries we do have installed. This “metadata” section on that hidden drive is NOT encrypted but rather guarded by BitLocker against any attempts of tampering with. To say it in other way, BitLocker checks the integrity of that drive. Checking the integrity means, preventing any kind of altering or modifications on that drive.

Therefore with switched on (and resumed) BitLocker you could safely install as many new OS as you want and also edit your Boot Manager entries, however such operation will alter/change the contents of the hidden drive and therefore BitLocker will prevent booting the system, except you will provide the recovery key manually.

Résumé: suspending BitLocker means at least two things:

  • Revealing the symmetric encryption key (so with a little effort anyone could read that key)
  • Stopping the hidden volume’s integrity check (so the Windows Boot Manager’s record is editable)

Here some more useful links:

This entry was posted in Uncategorized - Common. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s