Manualshelf

Users Guide

ManualsBrandsDell ManualsActive System ManagerUpdate Packages Version 15.06.201
31323334353637383940
7
Trusted Platform Module and BitLocker
Support
A Trusted Platform Module (TPM) is a secure microcontroller with cryptographic capabilities designed to
provide basic securityrelated functions involving encryption keys. It is installed on the motherboard of
the system, and communicates with the rest of the system using a hardware bus. You can establish
ownership of the system and its TPM using the BIOS setup commands.
TPM stores the platform configuration as a set of values in a set of Platform Configuration Registers
(PCRs). Thus one such register may store, for example, the motherboard manufacturer; another, the
processor manufacturer; a third, the firmware version for the platform, and so on. Systems that
incorporate a TPM create a key that is tied to platform measurements. The key can only be unwrapped
when those platform measurements have the same values that they had when the key was created. This
process is called sealing the key to the TPM. Decrypting is called unsealing. When a sealed key is first
created, the TPM records a snapshot of configuration values and file hashes. A sealed key is only unsealed
or released when those current system values match the ones in the snapshot. BitLocker uses sealed keys
to detect attacks against the integrity of the system. Data is locked until specific hardware or software
conditions are met.
BitLocker mitigates unauthorized data access by combining two major dataprotection procedures:
Encrypting the entire Windows operating system volume on the hard disk: BitLocker encrypts all
user files and system files in the operating system volume.
Checking the integrity of early boot components and the boot configuration data: On systems that
have a TPM version 1.2, BitLocker leverages the enhanced security capabilities of the TPM and ensures
that the data is accessible only if the boot components of the system are unaltered and the encrypted
disk is located in the original system.
BitLocker is designed for systems that have a compatible TPM microchip and BIOS. A compatible TPM is
defined as a version 1.2 TPM. A compatible BIOS supports the TPM and the Static root of Trust
Measurement. BitLocker seals the master encryption key in the TPM and only allows the key to be
released when code measurements have not changed from a previous secure boot. It forces you to
provide a recovery key to continue boot if any measurements have changed. A onetomany BIOS update
scenario results in BitLocker halting the update and requesting a recovery key before completing boot.
BitLocker protects the data stored on a system through full volume encryption and secure startup. It
ensures that data stored on a system remains encrypted even if the system is tampered with when the
operating system is not running and prevents the operating system from booting and decrypting the drive
until you present the BitLocker key.
TPM interacts with BitLocker to provide protection at system startup. TPM must be enabled and activated
before it can be used by BitLocker. If the startup information has changed, BitLocker enters recovery
mode, and you need a recovery password to regain access to the data.
39