A Trusted Platform Module (TPM) is a secure microcontroller with
cryptographic capabilities designed to provide basic security‑related
functions involving encryption keys. It is installed on the motherboard
of the system, and communicates with the rest of the system using
a hardware bus. You can establish ownership of the system and its
TPM using the BIOS setup commands.
TPM stores the platform configuration as a set of values in a set
of Platform Configuration Registers (PCRs). Thus one such register
may store, for example, the motherboard manufacturer; another, the
processor manufacturer; a third, the firmware version for the platform,
and so on. Systems that incorporate a TPM create a key that is tied
to platform measurements. The key can only be unwrapped when those
platform measurements have the same values that they had when the
key was created. This process is called
sealing the key to
the TPM. Decrypting is called
unsealing. When a sealed key
is first created, the TPM records a snapshot of configuration values
and file hashes. A sealed key is only
unsealed or released
when those current system values match the ones in the snapshot. BitLocker
uses sealed keys to detect attacks against the integrity of the system.
Data is locked until specific hardware or software conditions are
met.
BitLocker mitigates unauthorized data access by combining two major
data‑protection procedures:
-
Encrypting the entire Windows operating system volume on the
hard disk:
BitLocker encrypts all user files and system files
in the operating system volume.
-
Checking the integrity of early boot components and the boot
configuration data:
On systems that have a TPM version 1.2, BitLocker
leverages the enhanced security capabilities of the TPM and ensures
that the data is accessible only if the boot components of the system
are unaltered and the encrypted disk is located in the original system.
BitLocker is designed for systems that have a compatible TPM microchip
and BIOS. A compatible TPM is defined as a version 1.2 TPM. A compatible
BIOS supports the TPM and the Static root of Trust Measurement. BitLocker
seals the master encryption key in the TPM and only allows the key
to be released when code measurements have not changed from a previous
secure boot. It forces you to provide a recovery key to continue boot
if any measurements have changed. A one‑to‑many BIOS update scenario
results in BitLocker halting the update and requesting a recovery
key before completing boot.
BitLocker protects the data stored on a system through
full
volume encryption
and
secure startup. It ensures that data
stored on a system remains encrypted even if the system is tampered
with when the operating system is not running and prevents the operating
system from booting and decrypting the drive until you present the
BitLocker key.
TPM interacts with BitLocker to provide protection at system startup.
TPM must be enabled and activated before it can be used by BitLocker.
If the startup information has changed, BitLocker enters recovery
mode, and you need a recovery password to regain access to the data.
-
NOTE: For information
on how to turn on BitLocker, see the Microsoft TechNet website. For
instructions on how to activate TPM , see the documentation included
with the system. A TPM is not required for BitLocker; however, only
a system with a TPM can provide the additional security of startup
system integrity verification. Without TPM, BitLocker can be used
to encrypt volumes but not a secure startup.
-
NOTE: The most secure
way to configure BitLocker is on a system with a TPM version 1.2 and
a Trusted Computing Group (TCG) compliant BIOS implementation, with
either a startup key or a PIN. These methods provide additional authentication
by requiring either an additional physical key (a USB flash drive
with a system‑readable key written to it) or a PIN set by the user.
-
NOTE: For mass BIOS
updates, create a script that disables BitLocker, installs the update,
reboots the system and then re‑enables BitLocker. For one‑to‑one Dell
Update Package (DUP) deployments, manually disable BitLocker and then
re‑enable it after rebooting the system.
-
NOTE: In addition to
BIOS DUP, execution of firmware DUP for U320, Serial Attached SCSI
(SAS) 5, SAS 6, Expandable RAID Controller (PERC) 5, PERC 6, and Cost
Effective RAID Controller (CERC) 6 controllers is blocked on a system
having a TPM version 1.2 chip,
TPM Security set at
ON with
pre‑boot measurement,
and
TPM Activation set at
Enabled if you enable BitLocker (TPM or TPM with USB or TPM with PIN).