An attacker with physical access can abruptly restart the device and dump RAM, as analysis of this memory may reveal FVEK keys from

An attacker with physical access can abruptly restart the device and dump RAM, as analysis of this memory may reveal FVEK keys from recently running Windows instances, compromising data encryption.

The effectiveness of this attack is, however, limited because the data stored in RAM degrades rapidly after the power is cut off.

  • narc0tic_bird@lemm.eeEnglish
    8·
    3 days ago

    Is this really a BitLocker issue or more an issue inherent in the hardware design?

    EDIT: Okay, looks like Microsoft could do better:

    By kernel-level debugging with WinDbg, the researcher observed BitLocker operations during the Windows boot process, which revealed that while Microsoft attempts to erase encryption keys using functions like SymCryptSessionDestroy, some keys persist on the heap, potentially due to incomplete key destruction mechanisms.

    But maybe the hardware/UEFI should immediately wipe memory upon restarting anyway…?

    • Limonene@lemmy.worldEnglish
      7·
      3 days ago

      The key has to be stored somewhere to be able to use it. This is full disk encryption, so every single sector that is read or written (except some boot and kernel stuff, presumably) needs to go through that encryption key. You could maybe store it in a cryptographic coprocessor that uses SRAM for the key and key schedule, but those are very uncommon now that AES-NI is popular. And I don’t think AES-NI has any special registers that could help here.