vista understanding merit vmk

I'm trying to understand the need for VMK. If a startup key is lost of compromised, changing the VMK without also re-encrypting (i.e., changing the FVEK) gives a false sense of security - I think.
In the Scenarios, User Experience, and Flow at http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFlow.mspx it states:
"The VMK directly protects the FVEK and therefore, protecting the VMK becomes critical. This strategy of protecting the VMK indirectly protects the encrypted volume and has the advantages that: - The system can regenerate keys upstream in the chain if one or more of these keys are lost or compromised. - The recovery process can be done without decrypting and reencrypting the entire volume, which is expensive in terms of the user’s time."
If I've lost my startup key, but I'm pretty sure no one's actually tried to use it on my machine, then why not simply regenerate only the startup key? If I think someone has used the key on my machine, then they have my VMK at that moment, and if they have my VMK, they can retrieve my FVEK. So they have my FVEK. Changing the VMK and Startup key won't lower my risk. I think I'll have to re-encrypt...
For the first advantage, if for example I've lost my startup key on USB flash, how do I tell BitLocker to generate a new, different startup key and VMK without having to re-encrypt the whole drive? I tried disabling, then re-enabling BitLocker under 5308, but it did not offer to place a different startup key on my USB drive, nor save a new recovery key. When I went to manage keys and request a copy of the startup key, I received the same key as before.
As for the second advantage, why does the VMK provide an advantage? Is it alone used to encrypt/decrypt some of the initial system files, which then take over using the FVEK?? I'm just guessing at the reason...
In the BitLocker Technical Overview at http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerTechOver.mspx it states that after disabling BitLocker for maintenance: "When BitLocker is reenabled, the clear key is removed from the disk volume and BitLocker protection is turned on again. Additionally, the VMK is rekeyed and reencrypted."
I think I understand - when the clear key is deleted, along with its blob(VMK), the VMK is regenerated in case anyone snagged the clear key, or if forensic tools are used to retrieve the deleted clear key and blob from disk???
Thanks!

The key chain is as follows: (TPM + External Key) encrypts VMK encrypts FVEK encrypts bulk-data
Should the external key be lost or compromised (per your question below), then the key protectors can be erased and a new external key created (via manage-bde/WMI). This assumes of course that someone has not mated the external key with your machine in the meantime. If they had, and the machine was additionally protected by the TPM (in the TPM + External Key scenario) they still would not get very far :). So in short, use WMI/manage-bde key protectors management functionality to address the lost keys scenario.
In theory, a system can be built where all keys encrypt FVEK directly. However maintaining an intermediate key (VMK) is architecturally particularly useful as it allows encrypted metadata to be consistent (uses the VMK) and independent of the FVEK (which can vary in type).
From a pure cryptographic standpoint, the VMK can be considered equal to the FVEK in it's criticality and function. However recycling the VMK becomes more interesting when you start to forensically look at history of data persistance on the disk. - Jamie Hunter [MS]
"tavis" wrote in message

I'm trying to understand the need for VMK. If a startup key is lost of compromised, changing the VMK without also re-encrypting (i.e., changing the FVEK) gives a false sense of security - I think.
In the Scenarios, User Experience, and Flow at http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFlow.mspx it states:
"The VMK directly protects the FVEK and therefore, protecting the VMK becomes critical. This strategy of protecting the VMK indirectly protects the encrypted volume and has the advantages that: - The system can regenerate keys upstream in the chain if one or more of these keys are lost or compromised. - The recovery process can be done without decrypting and reencrypting the entire volume, which is expensive in terms of the user’s time."
If I've lost my startup key, but I'm pretty sure no one's actually tried to use it on my machine, then why not simply regenerate only the startup key? If I think someone has used the key on my machine, then they have my VMK at that moment, and if they have my VMK, they can retrieve my FVEK. So they have my FVEK. Changing the VMK and Startup key won't lower my risk. I think I'll have to re-encrypt...
For the first advantage, if for example I've lost my startup key on USB flash, how do I tell BitLocker to generate a new, different startup key and VMK without having to re-encrypt the whole drive? I tried disabling, then re-enabling BitLocker under 5308, but it did not offer to place a different startup key on my USB drive, nor save a new recovery key. When I went to manage keys and request a copy of the startup key, I received the same key as before.
As for the second advantage, why does the VMK provide an advantage? Is it alone used to encrypt/decrypt some of the initial system files, which then take over using the FVEK?? I'm just guessing at the reason...
In the BitLocker Technical Overview at http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerTechOver.mspx it states that after disabling BitLocker for maintenance: "When BitLocker is reenabled, the clear key is removed from the disk volume and BitLocker protection is turned on again. Additionally, the VMK is rekeyed and reencrypted."
I think I understand - when the clear key is deleted, along with its blob(VMK), the VMK is regenerated in case anyone snagged the clear key, or if forensic tools are used to retrieve the deleted clear key and blob from disk???
Thanks!