10 Things - Using BitLocker, even without a TPM

10 Things - Using BitLocker, even without a TPM

  • Comments 31
  • Likes

While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform Module to use it on your system.

BitLocker Drive Encryption is a new security feature integrated into the Windows Vista operating system that provides considerable protection to the OS and data stored on the operating system volume.  BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running.  This helps protect against "offline attacks" -- those made by disabling or circumventing the installed operating system, or by physically removing the hard drive to attack the data separately.  In other words, attacks made when the system is not running.

Windows BitLocker Drive Encryption provides increased security by encrypting everything on your hard drive: data, programs and even Windows itself.  When you use BitLocker, your system is more difficult to tamper with, and thus you are better protected if your computer is ever lost or stolen.  BitLocker does not replace the need to use a strong password and other vital security features, but it does make it much harder for anyone else to read the information stored on your hard drive.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS.  (A compatible TPM is defined as a version 1.2 TPM.)  A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group.  When available, BitLocker uses a system's Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity.  The chip performs a system integrity check -- a process that verifies your computer system has not been tampered with -- before unlocking your drive and allowing access to the data stored on it.  This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume.  Although the TPM interacts with BitLocker at system startup, its protection is transparent and the user logon experience is unchanged.  However, if the TPM is missing or altered, or if the start-up information has changed, BitLocker will enter recovery mode and the user will be required to enter a recovery password to regain access to the data.  For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group's Web site.

A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable.

For information about how to enable BitLocker on your computer without using a TPM 1.2 chip, see the BitLocker Drive Encryption Step-by-Step Guide.  You can also find more information about the requirements for BitLocker Drive Encryption, including partitioning, start-up options and recovery options.

31 Comments
You must be logged in to comment. Sign in or Join Now
  • Duane Duane
    52463 Posts

    I have a (TPM-less) BitLocker-protected box. A USB key with the startup key went missing some time ago. I don't think it's in the "wrong hands," but I'd like to change the startup key to something else. Disabling & then re-enabling BitLocker didn't produce a new startup key. Is there a way to do this?

  • Dragon
    2 Posts

    Is SP1 going to fix the "Insufficient disk space for BitLocker Drive Encryption to encrypt the drive. Use disk maintenance tools to repair the disk and try again." errors some people seem to get when using this method?

    I used the BitLocker Drive Preparation Tool that comes with Vista Ultimate to make the 1.5GB system drive and the rest of the drive is 278GB with 195GB free, and the system boot drive the tool made is 1.41GB free of 1.46GB total. For some reason if I do the system check before encryption it never gets past 0% and gives no error, if I skip the system check it gives the above error with over 70% space on both drives.

  • Nick White
    1204 Posts

    Hey The_Thunderdog:  thanks for sharing your perspective; I agree that BL can be confusing and hence wrote this article to try to dispel a few of the misconceptions around it.  If you have specific suggestions as to other aspects of it we can cover in future articles, I'm all ears :).

  • I really think BitLocker has been confusing the general public. The technologies are terrific but there needs to be a definitive explaination of what the purposes and methodologies are to inspire confidence.

  • Nick White
    1204 Posts

    Hey chrisbee:  there're definitely a number of ways around this -- take a look at this FAQ for more info:  http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true.

  • Nick White
    1204 Posts

    Hi again Hans:  with respect to your question on notebook drivers, I've conferred with my colleagues to get some clarity on drivers made specifically for laptop hardware and how this relates to HD-DVD/Blu-Ray ("next-gen") playback.  Here's what I've learned:

    "Microsoft does not ship HD-DVD or Blu-ray playback, so this is a 3rd-party application question.  Nevertheless, it is highly likely that if the drivers are not signed then the 3rd-party systems will refuse to playback any protected content.

    As to the "quality restrictions" (down-rezing):  this is performed if you have an analog output and the AACS-protected content contains the ICT (Image Constraint Token).  To date, no content has asserted ICT because too many consumers use component video.  But I highly suspect that in this scenario a customer will get a black screen since the playback software will refuse to decrypt anything."

    Hope this helps answer your question.

  • Perhaps I am a bit confused about Bitlocker.  What if and individual loses his key altogether?  Is there no way to recover the drive itself?

    Can it be formatted?  If so, cant the data be recovered using using data recovery software?

    Thanks

    Chris

  • Nick White
    1204 Posts

    Hi again Hans:  I know that the Windows Vista Security blog has not been posted to recently, but the folks on the Security team asked that we refer issues relating to BitLocker and use of TPMs to their blog so they can answer directly.  Go ahead and post your questions there, as they should reply fairly promptly.

    Let me see if I can't get you an answer to your question on laptop drivers and playback of protected content - stay tuned.

  • Somehow, the first few chars were lost:

    P.S. I've posted a question at  ... ->

  • http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/20/windows-vista-content-protection-twenty-questions-and-answers.aspx , but since that post is pretty old now, I'm just going to repost it here, I hope you don't mind:

    "I hope that this topic is still watched... My question is yet again about drivers. As most of you know, Notebooks don't usually get unified drivers and since most notebook manufacturers fail to supply updated drivers after about 3 months (and sometimes not at all), notebook users have to hunt down updated video drivers themselves. Typically, these are unified drivers with a modified INF that marks the driver as compatible with additional device ids. Sometimes this behaviour has been encouraged by chip and notebook makers (you get it frequently when calling support), sometimes discouaged (NVidia recently threatened to shut down a page providing such drivers), but fact is that it's crucial to notebook users. Of course the modifications to the INF revoke the driver certificates. So what would happen to me, if I were to use such a modified driver while trying to play content with heavy protection, say BluRay with image quality restrictions enabled?"

  • Thank you for taking the time to reply.

    Sadly, the BitLocker Blog as well as the System Integrity Blog haven't been updated in almost a year and (understandibly) the security blog has only limited information about BitLocker. However the SI blog (which I just found at http://blogs.msdn.com/si_team/ ) has some interesting information... seems BitLocker uses AES (not a bad choice) and there's also some header information there... not enough to even nearly call it a "spec", but it's a good start. Now we just need more of that!

    Another question about TPM (I hope it hasn't been answered already, but the blogs here are a bit of a jungle):

    I'm curious what scenarios are actually supposed to be prevented by TPM... I mean, if there are real, physical changes, then TPM cannot possibly detect even the easiest ones... how would it detect a sniffer at the keyboard port or the display connector.... which pretty much only leaves the hard drives and BIOS as targets for TPM protection. The hard drives can (as you mentioned before) be protected exactly the same with or without TPM and the BIOS... well, it is a attack vector, but none that I have seen used since around '94...

    About the Compatibility... it's actually pretty hard to find out the Vista rating for my notebook as Toshiba doesn't show them on their homepage and I have the habbit of removing all stickers from my devices... When and if I find out more, I'll simply post again.

    And finally, just call me Hans ... I just didn't write it with a capital "H" because most sites ignore capitalization. :)

  • Nick White
    1204 Posts

    Hey again hans_schmucker:  the BitLocker team, in conjunction with the Windows Vista Security team, can answer your BitLocker-related questions via the Windows Vista Security blog:  http://blogs.msdn.com/windowsvistasecurity/.  It sounds like there's a lot that BitLocker does that rivals the functionality of TrueCrypt.

    With respect to your question on hardware compatibility, there are a number of ways to find Windows Vista-compatible hardware, but they all revolve around our Certified logo program, which is described here:  http://windowsvistablog.com/blogs/windowsvista/archive/2007/02/28/devices-and-software-that-are-certified-for-windows-vista.aspx.

  • Nick White
    1204 Posts

    Hey hans_schmucker:  I've contacted my colleagues on the BitLocker team for assistance with your inquiries and will get back to you as soon as I receive their reply.

  • xfl888
    1 Posts

    You can enable BitLocker on a computer without a TPM version 1.2, provided that the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected volume until BitLocker’s own volume master key is first released by either the computer’s TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to take advantage of the system integrity verification that BitLocker can also provide.

    To help determine whether a computer can read from a USB device during the boot process, use the BitLocker System Check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

    To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker user interface. With the advanced options enabled, the non-TPM settings appear in the BitLocker setup wizard. For instructions about using Group Policy to enable the advanced user options, see http://go.microsoft.com/fwlink/?LinkId=83223.

  • Another question, that is entirely off-topic, but maybe you know about this and maybe you could post about it.

    My question concerns hardware compatibility. I recently bought a Toshiba Satego P100-491 (No, you don't have to know this particular device), which comes preloaded with Vista (Home Deluxe). I've had a couple of issues (most importantly, it wouldn't activate when I reinstalled Vista and in fact wouldn't let me in to update so I can get the patch that fixes OEM activation, so now I'm running the Buisness version that I got from university) but what really grinds my gears is the fact that the hardware seems to be incompatible with Vista (In fact when it was released there wasn't even a driver that could do OpenGL)... when the GPU has a lot do to, the framefrate drops to about 10% every three seconds or so. It's so bad that I'm dual booting XP again.

    So my question is this: How do you work with hardware vendors to ensure that they only sell Vista-compatible hardware with Vista?

  • I've been a user of TrueCrypt pretty much since it came out and use it to keep my data safe... since BitLocker is in a similar area I have a couple of questions:

    1. Recovery:

    The most pressing matter for me would be how easy it is to recover data if there's a system error...  most of us don't have access to WindowsPE builder and most of us (I'm an IT student) simply use Linux BootCDs to save data from a broken system, also because the filesystem layer on Linux is much more error-resistent than its Windows counterpart (No, I'm not bashing Windows... after all I use it everyday). I'm not asking you to create a Linux tool, but is there a usable specification that could be used to access the data in the case of an emergency (with the correct recovery password, of course)? I couldn't find anything about the actual specs and encryption algorithms used on the BitLocker page.

    2. Password checks

    About this I'm simply curious: TrueCrypt checks a password by decrypting the first four bytes of each volume. If these four bytes decrypt to "TRUE", then the password is assumed to be correct... I find that system to be quite ingenious as there are thousands, if not millions of keys that would decrypt the first four bytes to TRUE, so you can't use it to verify brute-force attacks (The data is simply to short), but it's still pretty unlikely that a user could mistype a key and still get the same data. How does BitLocker do it?

  • Nick White
    1204 Posts

    Hey zed260:  I understand where you're coming from, but know that the wallpapers in the Starter Edition are of much lower resolution designed for lower-end computers. A valid request nonetheless :)

  • Nick White
    1204 Posts

    Hey cesarebalena:  we're not sharing invitations just yet, but the process to get into the SP1 Beta program will definitely be detailed here on the blog when the time comes :)

  • Nick White
    1204 Posts

    Hey Good_Bytes and Odegaard:  Andre is correct (thanks, Andre!) in both of his replies; you can find specific answers to these questions and similar concerns at the BitLocker TechCenter:  http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx.

  • someone
    156 Posts

    A more of an issue I'm finding these days is that consumer chipsets/motherboards are not including TPM even in some models.

  • I would have posted this in a blog that discusses DreamScene, but there aren't any recent ones as far as I know. While I was searching through the WINDOWS folder on Windows Vista Ultimate I noticed two video clips. There are three scenes in each of the clips, In the first clip there's two creeks and a fountain and are each shown for a few seconds, but in the second clip it's the first video but sped up. Was Microsoft trying to make DreamScenes but they didn't turn out as expected?

  • zed260
    21 Posts

    thats stupid why does vista starter edition have wallpapers that are only available for it they are not even included in ultimate edition

  • Hi Nick,

    can i be invite to the Beta Vista SP1 program?

    Thanks

    Cesare Balena

    balenacesare@msn.com

  • adacosta
    91 Posts

    Odegaard, I am just second guessing here, but you have to provide the 48 Character encryption key to unlock access to the information or the data is just gone. Not sure.

  • If I'm using bitlocker and my computer crashes, is there any way to recover the data, by for example moving the harddrive to another PC? (because this is what you are actually protecting against)

    I would think I would need to take some actions prior to this happening (like exporting and storing a key somewhere)

  • adacosta
    91 Posts

    If you need to reinstall your operating system, you will have to decrypt the drive by turning off BitLocker completely. Disabling Bitlocker will not allow you to make the desired changes to the system. Decrypting can take long depending on the amount of data and the size of the hard disk.

    To disable a BitLocker volume, follow the procedure described below.

       1. Go to Start, Control Panel, Security and select BitLocker Drive Encryption.

       2. On the volume that you want to disable BitLocker, click Turn Off BitLocker Drive Encryption.

       3. Depending on the level of decryption you desire, you can either Disable the BitLocker Drive Encryption or Decrypt the volume. Get Encrypting.

  • If I need to re-install my system? or change HDD? or change my motherboard because it broke. Is my data will be lost? If there is a remove feature, and my motherboard brakes, did I just lose all my data that was protected?

  • Nick White
    1204 Posts

    Hey tangqiping:  we actually do cover that topic in the post:  "A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable."

    More info is available at http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx.

  • you just talk about bitlocker!But you didn;t talk about how to use it without tpm!It is important!

  • Good to know you can use some of the Bitlocker features without the latest Laptop with TPM chip installed, my wifes Uncle could certainly have used this encryption/protection when his laptop which got stolen while he was on a train.  Unfortunately Vista was not out at the time, as this was 2 years ago.

    It got stolen in Britain, my homeland no less, when he was on a Business trip from the USA.  Gotta love that public transportation, ironically he thought he was safe because he was in a First Class Bussiness carraige, but alas that was not the case!