Correct, unless you're using a self-encrypting drive the FVEK sits in RAM once it's been released by the TPM during boot. The TPM is only a root of trust; for fast crypto operations without keeping the key in kernel memory you would need something like Intel SGX or ARM TrustZone.
p_ing|1 year ago
> Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.
https://support.microsoft.com/en-us/topic/september-24-2019-...
https://nvd.nist.gov/vuln/detail/CVE-2018-12037
MoreMoore|1 year ago
https://threadreaderapp.com/thread/1059435094421712896.html
This is amazing.
> The encrypted SSD has a master password that’s set to “”
HN discussion here: https://news.ycombinator.com/item?id=18382975
Original paper here: https://cs.ru.nl/~cmeijer/publications/Self_Encrypting_Decep...