Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 2029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SafeGuard Encryption

Dan Petford

We use imaging software, if we re-image it clears the BitLocker encryption, does this remove the encrypted data, if someone used data recovery would they be able to access the data?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Technically - no it doesn't remove the encrypted data from the drive completely - it just starts writing over it with the new data. things can still be present in the unused sectors of the drive and even in the slack space inside the sectors (assuming a platter HDD). 

    however, if you turn on bitlocker encryption on the newly imaged drive - then the encryption process should overwrite all the data in any sector marked as used as they are written to:

     

    See: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq#:~:text=No%2C%20BitLocker%20does%20not%20encrypt,them%20to%20the%20physical%20disk.

    Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?

    No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.

     

    So, in essence, yes data could theoretically be recovered but there are several hurdles to get over to do that and even then - the data is probably incomplete and hard to recover.

    For complete data removal your imaging process should have a zeroing solution that runs on the drive first then writes the new image to the drive then turns on bitlocker again. 

    If you are using SSDs - this changes a bit and the amount of data retained on the drive is greatly reduced. 

     

    If you have any further questions - please let me know.

Reply
  • FormerMember
    0 FormerMember

    Technically - no it doesn't remove the encrypted data from the drive completely - it just starts writing over it with the new data. things can still be present in the unused sectors of the drive and even in the slack space inside the sectors (assuming a platter HDD). 

    however, if you turn on bitlocker encryption on the newly imaged drive - then the encryption process should overwrite all the data in any sector marked as used as they are written to:

     

    See: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq#:~:text=No%2C%20BitLocker%20does%20not%20encrypt,them%20to%20the%20physical%20disk.

    Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?

    No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.

     

    So, in essence, yes data could theoretically be recovered but there are several hurdles to get over to do that and even then - the data is probably incomplete and hard to recover.

    For complete data removal your imaging process should have a zeroing solution that runs on the drive first then writes the new image to the drive then turns on bitlocker again. 

    If you are using SSDs - this changes a bit and the amount of data retained on the drive is greatly reduced. 

     

    If you have any further questions - please let me know.

Children
No Data
Unfiltered HTML