question

jelfer-3369 avatar image
0 Votes"
jelfer-3369 asked MTG-3890 edited

Bitlocker with & without TPM - What's the Difference?

What does the TPM do (what are its functions) when you encrypt the system drive with Bitlocker?

And what is the difference if I encrypt the system drive without the TPM?

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered jelfer-3369 commented

TPM is a chipset inside the motherboard of your system and when you have this hardware in your device when you attempt to encrypt hard disk, it will store the key inside the TPM. So next time when you boot into your system, it will read they key from the TPM and even if someone take away your hard disk , they won't be able to access the key because it is secure inside the TPM.
When you don't have TPM, whenever you want to boot your system, it will ask for the key or it should be authenticated through the server.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

so windows stores the decryption key inside the TPM? Does that mean that by using tpm and bitlocker when you boot windows it won't ask for password but just decrypt the system since the key is stored in the tpm? sorry i'm confused....

0 Votes 0 ·
Castorix31 avatar image
0 Votes"
Castorix31 answered jelfer-3369 commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

the text is very technical i cannot understand it, if someone could simply explain the practical difference in using bitlocker with and without TPM would be enough!

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered jelfer-3369 edited

TPM(Trusted Platform Module) is a chip on your computer’s motherboard.
The TPM provides an extra layer of security by storing passwords and keys in a secure form.
TPM with BitLocker provides more security.

You can enable BitLocker on an operating system drive without a TPM
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq#can-i-use-bitlocker-on-an-operating-system-drive-without-a-tpm


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"The TPM provides an extra layer of security by storing passwords and keys in a secure form.
TPM with BitLocker provides more security."

so when you encrypt windows with bitlocker and tpm is on, windows will store the bitlocker password and decryption key inside the tpm? does that mean that when you boot windows the user doesn't have to input the bitlocker password to decrypt the system? it sounds confusing and certainly not safe :/



0 Votes 0 ·
KapilArya avatar image
0 Votes"
KapilArya answered

Hello,

Usually PIN is considered more secure than traditional password because it is backed by TPM, a system hardware and chip.

So if you enable BitLocker with TPM, you can use PIN to unlock your BitLocker drive, which provides more security.

BitLocker can be enabled without TPM as we all know, but in that case you won't be able to use PIN to unlock encrypted drive. You've to use password then.

Hope this answers your query!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MTG-3890 avatar image
0 Votes"
MTG-3890 answered MTG-3890 edited

The worst thing about not having a TPM has not been mentioned yet: the encryption password can be attacked by brute force.

Since most people will not like to use passwords with 20 characters or more, there's a chance that brute-force will succeed in time.
With a TPM, brute forcing would mean to remove the disk from its computer housing and attempt to find the correct recovery key, which is a 48-digit number. Happy brute-forcing!

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

can you explain why without tpm the password can be bruteforced while with tpm not?

0 Votes 0 ·

"why without tpm the password can be bruteforced while with tpm not?" - I have explained it in the comment. Please tell me what you don't understand and I will explain again.
The Recovery key is too long to bruteforce, while passwords (due to human nature) are usually chosen short (6-15 characters), which can be brute-forced relatively easily with todays computing powers (say within 1 year).

0 Votes 0 ·