10 Things - Using BitLocker, even without a TPM

Nick White — Thu, 26 Jul 2007 19:15:00 GMT

While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform Module to use it on your system.

BitLocker Drive Encryption is a new security feature integrated into the Windows Vista operating system that provides considerable protection to the OS and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against "offline attacks" -- those made by disabling or circumventing the installed operating system, or by physically removing the hard drive to attack the data separately. In other words, attacks made when the system is not running.

Windows BitLocker Drive Encryption provides increased security by encrypting everything on your hard drive: data, programs and even Windows itself. When you use BitLocker, your system is more difficult to tamper with, and thus you are better protected if your computer is ever lost or stolen. BitLocker does not replace the need to use a strong password and other vital security features, but it does make it much harder for anyone else to read the information stored on your hard drive.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS. (A compatible TPM is defined as a version 1.2 TPM.) A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. When available, BitLocker uses a system's Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity. The chip performs a system integrity check -- a process that verifies your computer system has not been tampered with -- before unlocking your drive and allowing access to the data stored on it. This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume. Although the TPM interacts with BitLocker at system startup, its protection is transparent and the user logon experience is unchanged. However, if the TPM is missing or altered, or if the start-up information has changed, BitLocker will enter recovery mode and the user will be required to enter a recovery password to regain access to the data. For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group's Web site.

A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable.

For information about how to enable BitLocker on your computer without using a TPM 1.2 chip, see the BitLocker Drive Encryption Step-by-Step Guide. You can also find more information about the requirements for BitLocker Drive Encryption, including partitioning, start-up options and recovery options.

Windows Vista Team Blog : Tips and Tricks, BitLocker

10 Things - Using BitLocker, even without a TPM