What is the correct way to remove bitlocker secrets from a TPM when returning a device for warranty?
Note: This is not a question about how to preserve data on a device that is returned for warranty. Rather, this is a question about how to ensure that the encrypted remnant data on the device is not accompanied by decryption keys when the device is returned for warranty.
I have a Surface Pro 2 that has to be returned for warranty. It is still operational except that it reboots when you move it in just the right way.
When the device was deployed, the drives were encrypted using bitlocker. The encryption took place prior to writing any sensitive information to the drives. For this question, let's assume that I trust the device and Microsoft and that the device hasn't been pwned by way of some vulnerability or software that has been installed.
TPM Secrets
This device has relied on the security of the TPM to protect the sensitive information in case the device was stolen. As I understand from this Chris Tarnovsky's presentation it is probably feasible to read the secrets from a TPM.
Since this is not a theft it seems like it should be possible to delete the secrets from the TPM and avoid that whole vulnerability.
Suspend-Bitlocker
Windows allows you to Suspend-Bitlocker which "makes the encryption key available in the clear." This seems to be what Windows defaults to when you manage the TPM from Windows. Obviously, I don't want to send the device back for warranty with bitlocker suspended.
Questions
- What secrets reside on the TPM which, if compromised, could be used to decrypt the contents of the drive?
- How can I ensure that the secrets are removed from the TPM?
- Is there a way to remove the secrets from the TPM in a way that avoids Windows making the encryption key available in the clear?
- Are there other precautions that I should consider taking prior to sending the device back for warranty?
