Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Is it Possible to Change a Password Without Re-encrypting an Encrypted Disk?

How is it possible that you can change your Windows password without re-encrypting a hard disk that was encrypted using that password?

I’ll assume you mean BitLocker whole-disk encryption, but the concept applies to many different encryption tools. You can often change the password (or passphrase) without needing to re-encrypt whatever it is you’ve encrypted.

The secret is simply this: your password wasn’t used to encrypt the disk.

Something else was.

Become a Patron of Ask Leo! and go ad-free!

Encryption keys

I can’t say specifically how any operating system or encryption tool implements the concept, but it’s not an uncommon concept.

It generally works like this:

When you first encrypt a disk, an encryption key is manufactured for you. It’s a key you never see. It’s generally what referred to as a “128-bit” or “256-bit” encryption key. It’s not even something you would recognize as text — it’s a purely random1 binary number.

This encryption key is used to encrypt your data, not your password. In fact, your password hasn’t even been involved yet.

That randomly-generated encryption key is itself then encrypted using your password (or some number based on your password). That encrypted encryption key is then stored somewhere — usually in your user profile on Windows.

Your password unlocks the key, which unlocks the data
Your password unlocks the key, which unlocks the data.

Decrypting your data

When you successfully log in, you provide your password2.

This password (or that number based on your password), can then be used to decrypt the hard disk encryption key and make it available.

That encryption key can then, in turn, be used to decrypt the data on your hard drive.

Changing your password

When you change your login password, all the system has to do is

  1. decrypt the encrypted encryption key using your old password
  2. re-encrypt it using the new password

The actual key used to decrypt your hard disk never changed.

If you needed to change the encryption key used to actually encrypt your data, you would need to decrypt it completely and then re-encrypt. For example, you might turn BitLocker off and then back on again. Turning it back on would cause a new completely random encryption key to be generated, which in turn would be secured in your Windows profile, using your password.

Saving the key

I lied about not being able to see the key, at least when it comes to BitLocker.

When setting up a BitLocker encrypted drive, you’ll be encouraged to save a recovery key.

Back up your recovery key!
Back up your recovery key!

Again, while I can’t confirm the exact inner workings of BitLocker, it’s very likely that this is the key generated and used to encrypt the data on your hard drive.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: This is one of the reasons true computer-generated random numbers are so important. If the generated key could be predicted, it loses its security.

2: Or something else to prove you are you. Even if you don’t specify your password specifically, you’ve specified enough for Windows to be able to proceed with our example.

3 comments on “How Is it Possible to Change a Password Without Re-encrypting an Encrypted Disk?”

  1. I didn’t see any specific instructions on how to change a BitLocker password. Is that do-able without decrypting the drive? Does it make a difference whether the drive is UEFI controlled or not? Thanks!

    Reply
    • If you’re using whole-disk encryption, then the article applies- you just change your login password.
      For others I believe you must first decrypt then re=encrypt with the new password.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.