Encryption may not work the way you think it does. And that’s OK.
I’ll assume you mean BitLocker whole-disk encryption, but the concept applies to many different encryption tools. You can often change the password (or passphrase) without needing to re-encrypt what you’ve encrypted.
How’s that even possible? The secret is this: your password wasn’t used to encrypt the disk.
Become a Patron of Ask Leo! and go ad-free!
Password update without re-encrypting
In some forms of encryption, the password or phrase you specify is not actually used to encrypt the data. It’s used to encrypt a completely random and typically more secure number that in turn is used to encrypt your data. Changing your password only changes how the intermediate number is encrypted and doesn’t affect the rest of the encrypted data.
Encryption keys
I can’t say specifically in detail how any operating system or encryption tool implements this concept, but it’s very common.
When you first encrypt a disk, an encryption key is manufactured for you. It’s a key you never see. It’s generally what you’ll see referred to as a 128-bit or 256-bit or other-sized encryption key. It’s not even something you would recognize as text — it’s a purely random1 binary number. That randomness is important — it’s much more random than any normal password you might create.
This encryption key is used to encrypt your data, not your password. In fact, your password hasn’t even been involved yet.
Your password is then hashed, possibly several times, into a number. This, too, is often 128 or 256 bits or similar.
This hash of your password is then used to encrypt the actual encryption key that is eventually used on your data. This encrypted actual encryption key is stored securely somewhere on your device.
Put another way, your password is used to encrypt one and only one thing: the “real” computer-generated key used to encrypt all of your data.
Decrypting your data
When you sign in, you provide your password2. If the password is correct, you can log in.
That password’s hash is then used to decrypt the encrypted actual encryption key.
That encryption key is then used to decrypt the data on your hard drive.
Changing your password
When you change your login password, all the system has to do is:
- Decrypt the encrypted encryption key using the hash of your old password.
- Re-encrypt it using the hash of the new password.
The actual key used to decrypt your hard disk never changed.
If you need to change the encryption key used to encrypt your data, you decrypt it completely and re-encrypt from scratch. For example, you might turn BitLocker off and then back on again. Turning it back on would cause a new completely random encryption key to be generated, which in turn would be secured in your Windows profile using your password.
Saving the key
I lied about not being able to see the key, at least when it comes to BitLocker.
When setting up a BitLocker encrypted drive, you’ll be encouraged to save a recovery key.
Again, while I can’t confirm the exact inner workings of BitLocker, it’s very likely that this is the key generated and used to encrypt the data on your hard drive (or some encoded variation thereof).
Other programs
Many encryption programs operate this way. It’s easy to tell: if changing the password is quick, then they probably store a separate actual encryption key. If the password update takes “a while” (it varies on how much data has been encrypted), then it’s possible the actual encryption has been changed.
VeraCrypt, I believe, is one example of an encryption tool that allows changing the passphrase without re-encrypting all the data. Many password managers also operate in this way.3
Do this
Choose good passwords or passphrases for your encrypted data, but don’t be alarmed if changing a password seems “too quick”. The more secure encryption key probably didn’t change, nor did it need to.
While you’re thinking about security, why not subscribe to Confident Computing? Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: This is one of the reasons true computer-generated random numbers are so important. If the generated key could be predicted, it loses its security.
2: Or something else to prove you are you. In our example, even if you don’t specify your password specifically, you’ve specified enough for Windows to be able to proceed.
3: LastPass is an interesting example. Simply changing your password does not appear to re-encrypt your vault. However, changing the number of “iterations” used seems to.
I didn’t see any specific instructions on how to change a BitLocker password. Is that do-able without decrypting the drive? Does it make a difference whether the drive is UEFI controlled or not? Thanks!
If you’re using whole-disk encryption, then the article applies- you just change your login password.
For others I believe you must first decrypt then re=encrypt with the new password.
3: LastPass is an interesting example. Simply changing your password does not appear to re-encrypt your vault. However, changing the number of “iterations” used seems to.
FYI. After LastPass was breached, I changed my password to 28 characters (it was already at 24 characters so I wasn’t worried). I didn’t change the iterations number as it was already set to 700,000. But changing my password did cause a re-encryption (I got a pop-up telling me that).