10 Things - Using BitLocker, even without a TPM

While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform Module to use it on your system.

BitLocker Drive Encryption is a new security feature integrated into the Windows Vista operating system that provides considerable protection to the OS and data stored on the operating system volume.  BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running.  This helps protect against "offline attacks" -- those made by disabling or circumventing the installed operating system, or by physically removing the hard drive to attack the data separately.  In other words, attacks made when the system is not running.

Windows BitLocker Drive Encryption provides increased security by encrypting everything on your hard drive: data, programs and even Windows itself.  When you use BitLocker, your system is more difficult to tamper with, and thus you are better protected if your computer is ever lost or stolen.  BitLocker does not replace the need to use a strong password and other vital security features, but it does make it much harder for anyone else to read the information stored on your hard drive.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS.  (A compatible TPM is defined as a version 1.2 TPM.)  A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group.  When available, BitLocker uses a system's Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity.  The chip performs a system integrity check -- a process that verifies your computer system has not been tampered with -- before unlocking your drive and allowing access to the data stored on it.  This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume.  Although the TPM interacts with BitLocker at system startup, its protection is transparent and the user logon experience is unchanged.  However, if the TPM is missing or altered, or if the start-up information has changed, BitLocker will enter recovery mode and the user will be required to enter a recovery password to regain access to the data.  For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group's Web site.

A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable.

For information about how to enable BitLocker on your computer without using a TPM 1.2 chip, see the BitLocker Drive Encryption Step-by-Step Guide.  You can also find more information about the requirements for BitLocker Drive Encryption, including partitioning, start-up options and recovery options.

Tags: , , , ,

Comments

  1. hans_schmucker
    Posted on: August 04, 2007 at 8:35AM  

    Thank you for taking the time to reply.

    Sadly, the BitLocker Blog as well as the System Integrity Blog haven't been updated in almost a year and (understandibly) the security blog has only limited information about BitLocker. However the SI blog (which I just found at http://blogs.msdn.com/si_team/ ) has some interesting information... seems BitLocker uses AES (not a bad choice) and there's also some header information there... not enough to even nearly call it a "spec", but it's a good start. Now we just need more of that!

    Another question about TPM (I hope it hasn't been answered already, but the blogs here are a bit of a jungle):

    I'm curious what scenarios are actually supposed to be prevented by TPM... I mean, if there are real, physical changes, then TPM cannot possibly detect even the easiest ones... how would it detect a sniffer at the keyboard port or the display connector.... which pretty much only leaves the hard drives and BIOS as targets for TPM protection. The hard drives can (as you mentioned before) be protected exactly the same with or without TPM and the BIOS... well, it is a attack vector, but none that I have seen used since around '94...

    About the Compatibility... it's actually pretty hard to find out the Vista rating for my notebook as Toshiba doesn't show them on their homepage and I have the habbit of removing all stickers from my devices... When and if I find out more, I'll simply post again.

    And finally, just call me Hans ... I just didn't write it with a capital "H" because most sites ignore capitalization. :)

  2. hans_schmucker
    Posted on: August 04, 2007 at 8:39AM  

    http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/20/windows-vista-content-protection-twenty-questions-and-answers.aspx , but since that post is pretty old now, I'm just going to repost it here, I hope you don't mind:

    "I hope that this topic is still watched... My question is yet again about drivers. As most of you know, Notebooks don't usually get unified drivers and since most notebook manufacturers fail to supply updated drivers after about 3 months (and sometimes not at all), notebook users have to hunt down updated video drivers themselves. Typically, these are unified drivers with a modified INF that marks the driver as compatible with additional device ids. Sometimes this behaviour has been encouraged by chip and notebook makers (you get it frequently when calling support), sometimes discouaged (NVidia recently threatened to shut down a page providing such drivers), but fact is that it's crucial to notebook users. Of course the modifications to the INF revoke the driver certificates. So what would happen to me, if I were to use such a modified driver while trying to play content with heavy protection, say BluRay with image quality restrictions enabled?"

  3. hans_schmucker
    Posted on: August 04, 2007 at 8:41AM  

    Somehow, the first few chars were lost:

    P.S. I've posted a question at  ... ->

  4. Nick White
    Posted on: August 06, 2007 at 2:21PM  

    Hi again Hans:  I know that the Windows Vista Security blog has not been posted to recently, but the folks on the Security team asked that we refer issues relating to BitLocker and use of TPMs to their blog so they can answer directly.  Go ahead and post your questions there, as they should reply fairly promptly.

    Let me see if I can't get you an answer to your question on laptop drivers and playback of protected content - stay tuned.

  5. chrisbee
    Posted on: August 07, 2007 at 5:06PM  

    Perhaps I am a bit confused about Bitlocker.  What if and individual loses his key altogether?  Is there no way to recover the drive itself?

    Can it be formatted?  If so, cant the data be recovered using using data recovery software?

    Thanks

    Chris

  6. Nick White
    Posted on: August 08, 2007 at 11:23AM  

    Hi again Hans:  with respect to your question on notebook drivers, I've conferred with my colleagues to get some clarity on drivers made specifically for laptop hardware and how this relates to HD-DVD/Blu-Ray ("next-gen") playback.  Here's what I've learned:

    "Microsoft does not ship HD-DVD or Blu-ray playback, so this is a 3rd-party application question.  Nevertheless, it is highly likely that if the drivers are not signed then the 3rd-party systems will refuse to playback any protected content.

    As to the "quality restrictions" (down-rezing):  this is performed if you have an analog output and the AACS-protected content contains the ICT (Image Constraint Token).  To date, no content has asserted ICT because too many consumers use component video.  But I highly suspect that in this scenario a customer will get a black screen since the playback software will refuse to decrypt anything."

    Hope this helps answer your question.

  7. Nick White
    Posted on: August 08, 2007 at 2:07PM  

    Hey chrisbee:  there're definitely a number of ways around this -- take a look at this FAQ for more info:  http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true.

  8. The_Thunderdog
    Posted on: August 21, 2007 at 3:19AM  

    I really think BitLocker has been confusing the general public. The technologies are terrific but there needs to be a definitive explaination of what the purposes and methodologies are to inspire confidence.

  9. Nick White
    Posted on: August 21, 2007 at 9:13PM  

    Hey The_Thunderdog:  thanks for sharing your perspective; I agree that BL can be confusing and hence wrote this article to try to dispel a few of the misconceptions around it.  If you have specific suggestions as to other aspects of it we can cover in future articles, I'm all ears :).

  10. Dragon
    Posted on: August 30, 2007 at 7:45AM  

    Is SP1 going to fix the "Insufficient disk space for BitLocker Drive Encryption to encrypt the drive. Use disk maintenance tools to repair the disk and try again." errors some people seem to get when using this method?

    I used the BitLocker Drive Preparation Tool that comes with Vista Ultimate to make the 1.5GB system drive and the rest of the drive is 278GB with 195GB free, and the system boot drive the tool made is 1.41GB free of 1.46GB total. For some reason if I do the system check before encryption it never gets past 0% and gives no error, if I skip the system check it gives the above error with over 70% space on both drives.

Trackbacks

  1. Posted by: The Security Wizard on July 28, 2007 at 4:49PM

    While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform

  2. Posted by: The things that are better left unspoken on September 11, 2007 at 3:05AM

    A while ago I wrote a blog post on BitLocker Drive Encryption and why I thought it wasn’t ready for prime

Recent Posts

Tags

View more
© Copyright 2009 Microsoft Corporation. All Rights Reserved.   |   Privacy Statement