I’ll assume you mean BitLocker whole-disk encryption, but the concept applies to many different encryption tools. You can often change the password (or passphrase) without needing to re-encrypt whatever it is you’ve encrypted.
The secret is simply this: your password wasn’t used to encrypt the disk.
Something else was.
Become a Patron of Ask Leo! and go ad-free!
I can’t say specifically how any operating system or encryption tool implements the concept, but it’s not an uncommon concept.
It generally works like this:
When you first encrypt a disk, an encryption key is manufactured for you. It’s a key you never see. It’s generally what referred to as a “128-bit” or “256-bit” encryption key. It’s not even something you would recognize as text — it’s a purely random1 binary number.
This encryption key is used to encrypt your data, not your password. In fact, your password hasn’t even been involved yet.
That randomly-generated encryption key is itself then encrypted using your password (or some number based on your password). That encrypted encryption key is then stored somewhere — usually in your user profile on Windows.
Decrypting your data
When you successfully log in, you provide your password2.
This password (or that number based on your password), can then be used to decrypt the hard disk encryption key and make it available.
That encryption key can then, in turn, be used to decrypt the data on your hard drive.
Changing your password
When you change your login password, all the system has to do is
- decrypt the encrypted encryption key using your old password
- re-encrypt it using the new password
The actual key used to decrypt your hard disk never changed.
If you needed to change the encryption key used to actually encrypt your data, you would need to decrypt it completely and then re-encrypt. For example, you might turn BitLocker off and then back on again. Turning it back on would cause a new completely random encryption key to be generated, which in turn would be secured in your Windows profile, using your password.
Saving the key
I lied about not being able to see the key, at least when it comes to BitLocker.
When setting up a BitLocker encrypted drive, you’ll be encouraged to save a recovery key.
Again, while I can’t confirm the exact inner workings of BitLocker, it’s very likely that this is the key generated and used to encrypt the data on your hard drive.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 3:35 — 3.4MB)
Subscribe: Apple Podcasts | RSS
Footnotes & References
1: This is one of the reasons true computer-generated random numbers are so important. If the generated key could be predicted, it loses its security.
2: Or something else to prove you are you. Even if you don’t specify your password specifically, you’ve specified enough for Windows to be able to proceed with our example.
3 comments on “How Is it Possible to Change a Password Without Re-encrypting an Encrypted Disk?”
I didn’t see any specific instructions on how to change a BitLocker password. Is that do-able without decrypting the drive? Does it make a difference whether the drive is UEFI controlled or not? Thanks!
If you’re using whole-disk encryption, then the article applies- you just change your login password.
For others I believe you must first decrypt then re=encrypt with the new password.
From the 1st paragraph of Newsletter #755.
Immanent or imminent?
I confess I didn’t recognize immanent so had to look it up. I think imminent is what you meant unless you had a more cerebral idea in mind.