Does changing the encryption password imply rewriting all the data?

No. Your password is used to encrypt only the master key. When you change the password, the master key is reencrypted but itself does not change.

(This is how some systems, such as BitLocker or LUKS, are able to have multiple passwords for the same disk: they still use a single master key for all data, but just store multiple copies of the master key encrypted with different passwords.)


Grawity's answer is correct. Because encrypting data is a relatively expensive process, it makes more sense to create a single master key that does not change during the lifetime of the encrypted data. This master key can then in turn be encrypted by one or more secondary keys, which can then be flexibly changed at will.

For example, here's how BitLocker implements this (it actually uses three "layers" of keys):

  1. Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.
  2. The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.
  3. The VMK in turn is encrypted with one or more key protectors, such as a PIN/password.

The following picture shows the process of accessing an encrypted system disk on a machine with BitLocker full volume encryption enabled:

Scheme of disk decryption

More information about this process can be found on TechNet.