SafeGuard Encryption

We use imaging software, if we re-image it clears the BitLocker encryption, does this remove the encrypted data, if someone used data recovery would they be able to access the data?

  • You can never say NEVER in IT, but data should be safe. Without the recovery key (or access to it) the chances of data recovery are very slim - certainly by the "average" user.

    If you're concerned this might happen I would recommend disk wiping/cleaning software and do a sweep/wipe of +3 passes. We use Blancco here, but there are other solutions available.

     

    As I said - nothing it ever secure. It's like a car that can't be stolen...if someone wants it enough...they will find a way! 

  • Technically - no it doesn't remove the encrypted data from the drive completely - it just starts writing over it with the new data. things can still be present in the unused sectors of the drive and even in the slack space inside the sectors (assuming a platter HDD). 

    however, if you turn on bitlocker encryption on the newly imaged drive - then the encryption process should overwrite all the data in any sector marked as used as they are written to:

     

    See: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq#:~:text=No%2C%20BitLocker%20does%20not%20encrypt,them%20to%20the%20physical%20disk.

    Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?

    No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.

     

    So, in essence, yes data could theoretically be recovered but there are several hurdles to get over to do that and even then - the data is probably incomplete and hard to recover.

    For complete data removal your imaging process should have a zeroing solution that runs on the drive first then writes the new image to the drive then turns on bitlocker again. 

    If you are using SSDs - this changes a bit and the amount of data retained on the drive is greatly reduced. 

     

    If you have any further questions - please let me know.