For Disk Encryption, Why Doesn’t The Disk Re-encrypt With The New Key When I Change My Password?
Those who innovate often do not take things for granted and often probe things to understand what actually happens under the hood. So, let’s pose a simple question …
In TrueCrypt (now known as VeraCrypt) we have disk encryption, why when I change my password for access does it not actually change the encryption key for the disk encryption, or does it?
TrueCrypt creates an encrypted volume, and where the user just has to reveal their password in order to access it. In order to convert a password into an encryption key, we often use a key derivation function (KDF) such as PBKDF2 or bcrypt, so why is it not the case that we have to re-encrypt the whole of the encrypted disk with the new symmetric key? Well, TrueCrypt uses two keys: a data encryption key and a key-encryption key (KEK). The data encryption key stays the same for every password change and is used to perform the encryption on the data on the disk. Whereas the KEK protects the data encryption key.
In the following, we have a data encryption key, and which will not change (unless there is a reset of the disk). We now need a way to protect this key for someone examining the disk. For this Bob uses a password and a salt value (Figure 1), and generates the master key using…
