10 Things - Using BitLocker, even without a TPM

While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform Module to use it on your system.

BitLocker Drive Encryption is a new security feature integrated into the Windows Vista operating system that provides considerable protection to the OS and data stored on the operating system volume.  BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running.  This helps protect against "offline attacks" -- those made by disabling or circumventing the installed operating system, or by physically removing the hard drive to attack the data separately.  In other words, attacks made when the system is not running.

Windows BitLocker Drive Encryption provides increased security by encrypting everything on your hard drive: data, programs and even Windows itself.  When you use BitLocker, your system is more difficult to tamper with, and thus you are better protected if your computer is ever lost or stolen.  BitLocker does not replace the need to use a strong password and other vital security features, but it does make it much harder for anyone else to read the information stored on your hard drive.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS.  (A compatible TPM is defined as a version 1.2 TPM.)  A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group.  When available, BitLocker uses a system's Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity.  The chip performs a system integrity check -- a process that verifies your computer system has not been tampered with -- before unlocking your drive and allowing access to the data stored on it.  This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume.  Although the TPM interacts with BitLocker at system startup, its protection is transparent and the user logon experience is unchanged.  However, if the TPM is missing or altered, or if the start-up information has changed, BitLocker will enter recovery mode and the user will be required to enter a recovery password to regain access to the data.  For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group's Web site.

A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable.

For information about how to enable BitLocker on your computer without using a TPM 1.2 chip, see the BitLocker Drive Encryption Step-by-Step Guide.  You can also find more information about the requirements for BitLocker Drive Encryption, including partitioning, start-up options and recovery options.

Tags: , , , ,

Comments

  1. Sebastian_Foss
    Posted on: July 26, 2007 at 11:51PM  
  2. newscientist2000
    Posted on: July 27, 2007 at 12:07AM  

    Good to know you can use some of the Bitlocker features without the latest Laptop with TPM chip installed, my wifes Uncle could certainly have used this encryption/protection when his laptop which got stolen while he was on a train.  Unfortunately Vista was not out at the time, as this was 2 years ago.

    It got stolen in Britain, my homeland no less, when he was on a Business trip from the USA.  Gotta love that public transportation, ironically he thought he was safe because he was in a First Class Bussiness carraige, but alas that was not the case!

  3. tangqiping
    Posted on: July 27, 2007 at 7:41AM  

    you just talk about bitlocker!But you didn;t talk about how to use it without tpm!It is important!

  4. Nick White
    Posted on: July 27, 2007 at 1:26PM  

    Hey tangqiping:  we actually do cover that topic in the post:  "A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable."

    More info is available at http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx.

  5. Good_Bytes
    Posted on: July 27, 2007 at 3:25PM  

    If I need to re-install my system? or change HDD? or change my motherboard because it broke. Is my data will be lost? If there is a remove feature, and my motherboard brakes, did I just lose all my data that was protected?

  6. adacosta
    Posted on: July 27, 2007 at 6:59PM  

    If you need to reinstall your operating system, you will have to decrypt the drive by turning off BitLocker completely. Disabling Bitlocker will not allow you to make the desired changes to the system. Decrypting can take long depending on the amount of data and the size of the hard disk.

    To disable a BitLocker volume, follow the procedure described below.

       1. Go to Start, Control Panel, Security and select BitLocker Drive Encryption.

       2. On the volume that you want to disable BitLocker, click Turn Off BitLocker Drive Encryption.

       3. Depending on the level of decryption you desire, you can either Disable the BitLocker Drive Encryption or Decrypt the volume. Get Encrypting.

  7. Odegaard
    Posted on: July 28, 2007 at 3:56AM  

    If I'm using bitlocker and my computer crashes, is there any way to recover the data, by for example moving the harddrive to another PC? (because this is what you are actually protecting against)

    I would think I would need to take some actions prior to this happening (like exporting and storing a key somewhere)

  8. adacosta
    Posted on: July 28, 2007 at 3:14PM  

    Odegaard, I am just second guessing here, but you have to provide the 48 Character encryption key to unlock access to the information or the data is just gone. Not sure.

  9. cesarebalena
    Posted on: July 29, 2007 at 7:28AM  

    Hi Nick,

    can i be invite to the Beta Vista SP1 program?

    Thanks

    Cesare Balena

    balenacesare@msn.com

  10. zed260
    Posted on: July 29, 2007 at 7:36PM  

    thats stupid why does vista starter edition have wallpapers that are only available for it they are not even included in ultimate edition

Trackbacks

  1. Posted by: The Security Wizard on July 28, 2007 at 4:49PM

    While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform

  2. Posted by: The things that are better left unspoken on September 11, 2007 at 3:05AM

    A while ago I wrote a blog post on BitLocker Drive Encryption and why I thought it wasn’t ready for prime

Recent Posts

Tags

View more
© Copyright 2009 Microsoft Corporation. All Rights Reserved.   |   Privacy Statement