How does BitLocker Drive Encryption work?

How does BitLocker Drive Encryption work?

If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.

During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that your Windows installation has been tampered.

By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options.

For enhanced security, you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

NOTE :

1) On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive.

2) BitLocker may not function completely in terms of added security on any of the HSB systems like Dimensions, Inspirons and XPS as these systems do not have TPM installed on their system boards. Consumer segment will not support TPM feature.

What is a TPM?

A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a desktop or portable computer, and communicates with the rest of the system by using a hardware bus.

Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.

Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to specific hardware or software conditions. This is called "sealing" a key. When a sealed key is first created, the TPM records a snapshot of configuration values and file hashes. A sealed key is only "unsealed" or released when those current system values match the ones in the snapshot. BitLocker uses sealed keys to detect attacks against the integrity of the Windows operating system.

With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.

One of the known issues:

Bit-Locker causes Slow performance in Media Direct 3.0 on Vista systems

Document ID: 315829

No need to replace any hardware, we can do the following.

To disable Microsoft® Windows® BitLocker on the primary partition, perform the following steps:

1.       Log in as an administrator.

2.       Ensure that the drive is encrypted.

3.       Click the Start button.
The Start Menu appears.

4.       Click Control Panel.
The Control Panel window appears.

5.       Click Security.
The Security window appears.

6.       Click BitLocker Drive Encryption.
The BitLocker Drive Encryption window appears.

7.       Choose the volume on which you want BitLocker Drive Encryption turned off.

8.       Click Turn Off BitLocker Drive Encryption.
The What level of decryption do you want dialog box appears.

9.       Click Disable BitLocker Drive Encryption.
BitLocker Drive Encryption is disabled.