5

My laptop has been in the local repair store now for three months - the GPU was resoldered and stencilled. During the repair I damaged the SSD at home and the laptop wouldn’t boot. They tried to repair the SSD (taking a week) but it’s a no fix and it was returned to me. Fast forward to today:

The techie told me I need to install a new SSD, OK. He asked for the bitlocker key - which didn’t sound right to me because I thought that was used to access the hard drive but we’re using a new SSD? He told me that the key is needed because it stops theives from stealing machines and just replacing the SSD. He also said the SSD is paired to the BIOS chip and that to reuse my windows key stored in the BIOS he doesn’t want to wipe it? Is this correct?

I’m worried maybe he cloned my hard drive and wants the key to steal my data. Or does he have legitimate reasons?

TLDR: Techie wants bitlocker key to install new SSD and use same windows product key from BIOS after physical GPU repair and SSD replacement. (After having my SSD in his possession for a week)

iBug
  • 11,645
Ben
  • 51

5 Answers5

14

This makes no sense whatsoever.

The BitLocker key is tied to the SSD. It has no relation to the Windows license.
New SSD doesn't have BitLocker. And when, after installing a fresh Windows, you encrypt it using BitLocker you may use the same PIN for BitLocker, but internally the new BitLocker setup will have a different, fresh BitLocker master-key.

If the motherboard isn't replaced a fresh Windows 10 (or 11) installation will automatically re-activate its license as soon as it is connected to the internet. (Regardless if the login is a local user-account or a Microsoft LiveID).

So there is no way a service-tech needs your old BitLocker code.

Tonny
  • 33,276
7

I fail to see how your BitLocker key would help. If some data has been salvaged and needed to be decrypted, sure, to replace with a new device, I'm not even aware of any way you could tell Windows to use a specific key.

Let's see it another way. Your HDD/SSD became corrupted and you need to reinstall Windows. Windows won't install itself encrypted at first. So why would having that key be necessary to install a new OS?

So far I'm not aware of PC computers were you can't replace a bit of hardware unless you have some security key.

Sounds dodgy, now in IT, I've heard lots of people say things they believed were true.

The closest thing I can think of is your Windows "digital entitlement" which is somewhat tied to your hardware, if you replace too much hardware, the license will at least need to be re-activated. He might think having the bitlocker key will reduce the chances of that happening (which to the best of my knowledge it doesn't).

My advice: don't give it. I actually wouldn't even expect most people to have it... (OK it might be saved in the MS account)

user1532080
  • 622
3

He also said the SSD is paired to the BIOS chip and that to reuse my windows key stored in the BIOS he doesn’t want to wipe it? Is this correct?

That is correct. Windows stores keys in the TPM. If you wish to use those keys you must have the TPM password.

If you wish to do a clean install of Windows, you can discard those keys, but that does mean that any other keys you have installed will also be discarded. In particular, if you are a business user, using your laptop as a smart card, you're going to loose that key.

On the other hand, if all you've got to worry about is encrypted, replaceable files such as media on the discarded SSD, then you can just do a clean install.

If you want to use your existing MS Windows license for a clean install, you may have to give your MS account login password to the tech, or do your own Windows installation.

Windows TPM

Journeyman Geek
  • 133,878
user165568
  • 926
  • 5
  • 16
-2

Ask them to do a sector-by-sector copy to a larger replacement SSD and expect that you may need to fix the boot loader after this and enter your BitLocker key after SSD replacement, since they won't be able to ensure that it boots. The tech may also want to test the GPU in Windows.

MM11
  • 66
-3

The only way this makes sense is if the old disk was replaced, so the new disk is empty, yet the bitlocker key is still found in the TPM so the BIOS is still insisting on it, although the new disk isn't encrypted at all. However, the technician cannot access the disk without the password in order to install Windows.

If you know the password, giving it might help the technician, although the whole situation is unclear to me and I have doubts that this will help.

Otherwise, the simplest solution to use the new disk would be to clear the TPM. This would require knowledge of the exact model of your motherboard and your BIOS version, but in general this is an option inside the BIOS, perhaps found inside a "TPM security" section.

Since I was attacked and this answer was downvoted on the basis that the UEFI has nothing to do with Bitlocker, here are some facts that will throw some light on the question.

  1. I was criticized for saying that the Windows bootloader uses the UEFI to turn off Bitlocker, so here are some facts about the sizes of the involved softwares as gathered for one Windows 10 computer:

    • The Windows bootloader (bootmgfw.efi) : 1 590 640 bytes
    • The Windows Bitlocker interface (manage-bde) : 222 KB
    • The UEFI download file (BIOS_IMG.rcv) : 27.06 MB

    This small bootloader is also called "stub" in some Microsoft documentation, and it's clear that it must rely heavily on services supplied by the UEFI.

  2. In fact, the Unified Extensible Firmware Interface (UEFI) Specification says this very clearly in section "2.1.3 UEFI OS Loaders":

A UEFI OS loader is a special type of UEFI application that normally takes over control of the system from firmware conforming to this specification. When loaded, the UEFI OS loader behaves like any other UEFI application in that it must only use memory it has allocated from the firmware and can only use UEFI services and protocols to access the devices that the firmware exposes.

  1. A certificate may contain information identifying its intended usage. For example, the Microsoft article BitLocker group policy settings says:

    The object identifier is specified in the extended key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.

    This means that it's possible for the UEFI to identify Bitlocker-intended keys inside the TPM (unfortunately not much information is publicly available about which are the exact mechanisms used by Bitlocker for the TPM).

It can be concluded that indeed it's the UEFI that controls all device accesses and every resource request issued by the bootloader. It can be said that the UEFI is the guarantee that Secure Boot is indeed secure - for each and every action, the bootloader must pass through the UEFI. This certainly includes verifying digital signatures and also Bitlocker and TPM.

I believe that I have answered here all the criticism that was directed at me in the comments.

harrymc
  • 498,455