Prepare Bitlocker protected PC for disposal
We want to dispose of an old notebook whose display frame is damaged. It's a Windows device with a BitLocker (TPM+PIN) encrypted SSD.
I am trying to devise a strategy for protecting the data on the drive from recovery that is both simple (no disassembly of the notebook) and reasonably secure (old PINs, recovery keys etc. should no longer work, but I'm not trying to protect the data against three-letter agencies - the data is not that important).
Currently, the following protectors are configured:
C:\Windows\System32>manage-bde C: -protectors -get
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [Home-Office-Client]
All Key Protectors
TPM And PIN:
ID: [redacted]
PCR Validation Profile:
7, 11
(Uses Secure Boot for integrity validation)
Numerical Password:
ID: [redacted]
Password:
[redacted]
My plan is to do the following:
Remove the "numerical password" protector (which should be the recovery key). Now the drive can no longer be unlocked with the old recovery key.
Change the BitLocker PIN to a new value that is not recorded anywhere. Now the drive can no longer be unlocked with the old PIN.
Do not remove the TPM+PIN protector, because removing all protectors will make the encryption key available unsecured.
(optional) Clear the TPM. Shouldn't be necessary, since both TPM+PIN are required, but it's easy to do and provides an additional layer of protection in case I messed up step 1.
Dispose of the device.
Any flaws in my plan? Any simpler way to achieve my goal?