Users Guide

ManualsBrandsDell ManualsActive System ManagerUpdate Packages Version 19.01.00

Trusted Platform Module and BitLocker Support

A Trusted Platform Module (TPM) is a secure microcontroller with cryptographic capabilities designed to provide basic security‑related

functions involving encryption keys. It is installed on the motherboard of the system, and communicates with the rest of the system using a

hardware bus. You can establish ownership of the system and its TPM using the BIOS setup commands.

TPM stores the platform conguration as a set of values in a set of Platform Conguration Registers (PCRs). Thus one such register may

store, for example, the motherboard manufacturer; another, the processor manufacturer; a third, the rmware version for the platform, and

so on. Systems that incorporate a TPM create a key that is tied to platform measurements. The key can only be unwrapped when those

platform measurements have the same values that they had when the key was created. This process is called sealing the key to the TPM.

Decrypting is called unsealing. When a sealed key is rst created, the TPM records a snapshot of conguration values and le hashes. A

sealed key is only unsealed or released when those current system values match the ones in the snapshot. BitLocker uses sealed keys to

detect attacks against the integrity of the system. Data is locked until specic hardware or software conditions are met.

BitLocker mitigates unauthorized data access by combining two major data‑protection procedures:

• Encrypting the entire Windows operating system volume on the hard disk: BitLocker encrypts all user les and system les in the

operating system volume.

• Checking the integrity of early boot components and the boot conguration data: On systems that have a TPM version 1.2,

BitLocker leverages the enhanced security capabilities of the TPM and ensures that the data is accessible only if the boot components

of the system are unaltered and the encrypted disk is located in the original system.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS. A compatible TPM is dened as a version 1.2 TPM. A

compatible BIOS supports the TPM and the Static root of Trust Measurement. BitLocker seals the master encryption key in the TPM and

only allows the key to be released when code measurements have not changed from a previous secure boot. It forces you to provide a

recovery key to continue boot if any measurements have changed. A one‑to‑many BIOS update scenario results in BitLocker halting the

update and requesting a recovery key before completing boot.

BitLocker protects the data stored on a system through full volume encryption and secure startup. It ensures that data stored on a system

remains encrypted even if the system is tampered with when the operating system is not running and prevents the operating system from

booting and decrypting the drive until you present the BitLocker key.

TPM interacts with BitLocker to provide protection at system startup. TPM must be enabled and activated before it can be used by

BitLocker. If the startup information has changed, BitLocker enters recovery mode, and you need a recovery password to regain access to

the data.

NOTE

: For information on how to turn on BitLocker, see the Microsoft TechNet website. For instructions on how to activate

TPM , see the documentation included with the system. A TPM is not required for BitLocker; however, only a system with a TPM

can provide the additional security of startup system integrity verication. Without TPM, BitLocker can be used to encrypt

volumes but not a secure startup.

NOTE: The most secure way to congure BitLocker is on a system with a TPM version 1.2 and a Trusted Computing Group

(TCG) compliant BIOS implementation, with either a startup key or a PIN. These methods provide additional authentication by

requiring either an additional physical key (a USB ash drive with a system‑readable key written to it) or a PIN set by the user.

NOTE: For mass BIOS updates, create a script that disables BitLocker, installs the update, reboots the system and then

re‑enables BitLocker. For one‑to‑one Dell Update Package (DUP) deployments, manually disable BitLocker and then re‑enable it

after rebooting the system.

NOTE: In addition to BIOS DUP, execution of rmware DUP for U320, Serial Attached SCSI (SAS) 5, SAS 6, Expandable RAID

Controller (PERC) 5, PERC 6, and Cost Eective RAID Controller (CERC) 6 controllers is blocked on a system having a TPM

version 1.2 chip, TPM Security set at

ON with pre

‑

boot measurement,

and TPM Activation set at

Enabled

if you enable BitLocker

(TPM or TPM with USB or TPM with PIN).

36 Trusted Platform Module and BitLocker Support