10 Things - Using BitLocker, even without a TPM

While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform Module to use it on your system.

BitLocker Drive Encryption is a new security feature integrated into the Windows Vista operating system that provides considerable protection to the OS and data stored on the operating system volume.  BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running.  This helps protect against "offline attacks" -- those made by disabling or circumventing the installed operating system, or by physically removing the hard drive to attack the data separately.  In other words, attacks made when the system is not running.

Windows BitLocker Drive Encryption provides increased security by encrypting everything on your hard drive: data, programs and even Windows itself.  When you use BitLocker, your system is more difficult to tamper with, and thus you are better protected if your computer is ever lost or stolen.  BitLocker does not replace the need to use a strong password and other vital security features, but it does make it much harder for anyone else to read the information stored on your hard drive.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS.  (A compatible TPM is defined as a version 1.2 TPM.)  A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group.  When available, BitLocker uses a system's Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity.  The chip performs a system integrity check -- a process that verifies your computer system has not been tampered with -- before unlocking your drive and allowing access to the data stored on it.  This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume.  Although the TPM interacts with BitLocker at system startup, its protection is transparent and the user logon experience is unchanged.  However, if the TPM is missing or altered, or if the start-up information has changed, BitLocker will enter recovery mode and the user will be required to enter a recovery password to regain access to the data.  For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group's Web site.

A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable.

For information about how to enable BitLocker on your computer without using a TPM 1.2 chip, see the BitLocker Drive Encryption Step-by-Step Guide.  You can also find more information about the requirements for BitLocker Drive Encryption, including partitioning, start-up options and recovery options.

Tags: , , , ,

Comments

  1. rockbuddy926
    Posted on: July 30, 2007 at 11:43AM  

    I would have posted this in a blog that discusses DreamScene, but there aren't any recent ones as far as I know. While I was searching through the WINDOWS folder on Windows Vista Ultimate I noticed two video clips. There are three scenes in each of the clips, In the first clip there's two creeks and a fountain and are each shown for a few seconds, but in the second clip it's the first video but sped up. Was Microsoft trying to make DreamScenes but they didn't turn out as expected?

  2. someone
    Posted on: July 31, 2007 at 8:46AM  

    A more of an issue I'm finding these days is that consumer chipsets/motherboards are not including TPM even in some models.

  3. Nick White
    Posted on: August 01, 2007 at 6:45PM  

    Hey Good_Bytes and Odegaard:  Andre is correct (thanks, Andre!) in both of his replies; you can find specific answers to these questions and similar concerns at the BitLocker TechCenter:  http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx.

  4. Nick White
    Posted on: August 01, 2007 at 6:47PM  

    Hey cesarebalena:  we're not sharing invitations just yet, but the process to get into the SP1 Beta program will definitely be detailed here on the blog when the time comes :)

  5. Nick White
    Posted on: August 01, 2007 at 6:50PM  

    Hey zed260:  I understand where you're coming from, but know that the wallpapers in the Starter Edition are of much lower resolution designed for lower-end computers. A valid request nonetheless :)

  6. hans_schmucker
    Posted on: August 02, 2007 at 7:38AM  

    I've been a user of TrueCrypt pretty much since it came out and use it to keep my data safe... since BitLocker is in a similar area I have a couple of questions:

    1. Recovery:

    The most pressing matter for me would be how easy it is to recover data if there's a system error...  most of us don't have access to WindowsPE builder and most of us (I'm an IT student) simply use Linux BootCDs to save data from a broken system, also because the filesystem layer on Linux is much more error-resistent than its Windows counterpart (No, I'm not bashing Windows... after all I use it everyday). I'm not asking you to create a Linux tool, but is there a usable specification that could be used to access the data in the case of an emergency (with the correct recovery password, of course)? I couldn't find anything about the actual specs and encryption algorithms used on the BitLocker page.

    2. Password checks

    About this I'm simply curious: TrueCrypt checks a password by decrypting the first four bytes of each volume. If these four bytes decrypt to "TRUE", then the password is assumed to be correct... I find that system to be quite ingenious as there are thousands, if not millions of keys that would decrypt the first four bytes to TRUE, so you can't use it to verify brute-force attacks (The data is simply to short), but it's still pretty unlikely that a user could mistype a key and still get the same data. How does BitLocker do it?

  7. hans_schmucker
    Posted on: August 02, 2007 at 7:56AM  

    Another question, that is entirely off-topic, but maybe you know about this and maybe you could post about it.

    My question concerns hardware compatibility. I recently bought a Toshiba Satego P100-491 (No, you don't have to know this particular device), which comes preloaded with Vista (Home Deluxe). I've had a couple of issues (most importantly, it wouldn't activate when I reinstalled Vista and in fact wouldn't let me in to update so I can get the patch that fixes OEM activation, so now I'm running the Buisness version that I got from university) but what really grinds my gears is the fact that the hardware seems to be incompatible with Vista (In fact when it was released there wasn't even a driver that could do OpenGL)... when the GPU has a lot do to, the framefrate drops to about 10% every three seconds or so. It's so bad that I'm dual booting XP again.

    So my question is this: How do you work with hardware vendors to ensure that they only sell Vista-compatible hardware with Vista?

  8. xfl888
    Posted on: August 03, 2007 at 1:11AM  

    You can enable BitLocker on a computer without a TPM version 1.2, provided that the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected volume until BitLocker’s own volume master key is first released by either the computer’s TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to take advantage of the system integrity verification that BitLocker can also provide.

    To help determine whether a computer can read from a USB device during the boot process, use the BitLocker System Check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

    To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker user interface. With the advanced options enabled, the non-TPM settings appear in the BitLocker setup wizard. For instructions about using Group Policy to enable the advanced user options, see http://go.microsoft.com/fwlink/?LinkId=83223.

  9. Nick White
    Posted on: August 03, 2007 at 6:26PM  

    Hey hans_schmucker:  I've contacted my colleagues on the BitLocker team for assistance with your inquiries and will get back to you as soon as I receive their reply.

  10. Nick White
    Posted on: August 03, 2007 at 6:47PM  

    Hey again hans_schmucker:  the BitLocker team, in conjunction with the Windows Vista Security team, can answer your BitLocker-related questions via the Windows Vista Security blog:  http://blogs.msdn.com/windowsvistasecurity/.  It sounds like there's a lot that BitLocker does that rivals the functionality of TrueCrypt.

    With respect to your question on hardware compatibility, there are a number of ways to find Windows Vista-compatible hardware, but they all revolve around our Certified logo program, which is described here:  http://windowsvistablog.com/blogs/windowsvista/archive/2007/02/28/devices-and-software-that-are-certified-for-windows-vista.aspx.

Trackbacks

  1. Posted by: The Security Wizard on July 28, 2007 at 4:49PM

    While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform

  2. Posted by: The things that are better left unspoken on September 11, 2007 at 3:05AM

    A while ago I wrote a blog post on BitLocker Drive Encryption and why I thought it wasn’t ready for prime

Recent Posts

Tags

View more
© Copyright 2009 Microsoft Corporation. All Rights Reserved.   |   Privacy Statement