BitLocker question

[Martin X.]

Hello,



If I want to switch from using a startup key to TPM or vice versa, do I need
to decrypt the volume first or can I just disable BitLocker, then make the
switch after re-enabling BitLocker?



I'm planning to test this out today, but each encryption/decryption takes
about an hour. (I should have made my test volume smaller to speed that up,
but oh well . . .)



Also, how secure is BitLocker? Has anyone cracked it yet? Thanks.

 

[Steve Riley [MSFT]]

No need to decrypt then re-encrypt. You can use the command-line interface
to change the protection types. Run an elevated command prompt, switch to
%WINDIR%\system32, and run this command:

cscript manage-bde.wsf -protectors -?

You'll see that you can add and delete protectors. To add one, look at this:

cscript manage-bde.wsf -protectors -add -?

To delete one, look at this:

cscript manage-bde.wsf -protectors -delete -?


To answer your other question, the algorithm is 128-bit AES with an Elephant
diffuser (search it out if you're curious). It hasn't been cracked. You
might also be interested to know that, despite persistent rumors, there is
no back door:
http://blogs.technet.com/steriley/archive/2007/07/13/the-bad-guys-will-use-bitlocker-too.aspx