Jump to content
RESET Forums (homeservershow.com)

Full drive encryption?


scottbakertemp
 Share

Recommended Posts

TPM is part of the BIOS and motherboard (Trusted Platform Module). If you board does not support it, I don't think there will be a workaround. Maybe someone else can chime in.

Link to comment
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

  • scottbakertemp

    15

  • jmwills

    12

  • jeffla

    7

  • ikon

    17

TPM is part of the BIOS and motherboard (Trusted Platform Module). If you board does not support it, I don't think there will be a workaround. Maybe someone else can chime in.

 

I noticed that my X68 board has no mention of this in the bios so I'm assuming this is only for server boards. I think there is a way around this with group policy but I haven't gotten it to work.

Link to comment
Share on other sites

TPM is definitely not restricted to server boards, but it is true that lots of boards do not support it. And if your board does not support it, no, there is no workaround. TPM requires a hardware module on the motherboard; there is no such thing as software-only TPM.

Link to comment
Share on other sites

I'm confused as to how the TPM is helpful. So this thread peaked an interest I had to encrypt my server, laptops.... I see that my thinkpad has a TPM, I know the server doesn't and I haven't bothered checking the other two computers. So in the following scenario, how does having a TPM help.

 

Whole house gets robbed. I have the bitlocker usb key with me and it is safe for all computers. The thinkpad does not have a usb key because it has the TPM. Without the bitlocker usb key, the server and other computers are safe, no way to retrieve the data. But the thinkpad, having the key stored in the TPM, and them having the whole laptop so they have the TPM, wouldn't that mean they could just boot the thinkpad, the TPM provides windows with the bitlocker key and they have full access to the drive contents?

Edited by jeffla
Link to comment
Share on other sites

I'm confused as to how the TPM is helpful. So this thread peaked an interest I had to encrypt my server, laptops.... I see that my thinkpad has a TPM, I know the server doesn't and I haven't bothered checking the other two computers. So in the following scenario, how does having a TPM help.

 

Whole house gets robbed. I have the bitlocker usb key with me and it is safe for all computers. The thinkpad does not have a usb key because it has the TPM. Without the bitlocker usb key, the server and other computers are safe, no way to retrieve the data. But the thinkpad, having the key stored in the TPM, and them having the whole laptop so they have the TPM, wouldn't that mean they could just boot the thinkpad, the TPM provides windows with the bitlocker key and they have full access to the drive contents?

 

I'm just as confused as you are. I've also found password reset tools on line - so I assume they could steal your PC, reset the password and log right in (assuming you don't encrypt the OS drive) . I would hope these reset tools don't work for WHS 2011 but who knows.

Link to comment
Share on other sites

Well, that's not the way it's supposed to work. Bear with me; I haven't looked at this in quite a while. As I recall, using TPM with BitLocker helps ensure a at least a couple of things:

 

1. the hard drive cannot be be used in a system different from the system it was set up in, because BitLocker won't unlock the drive unless it finds the correct TPM.

2. TPM can protect the drive during the bootup process, because it won't let malicious software alter the boot sector of the drive. In other words, someone trying to compromise your system by booting it up using a malicious CD or USB drive will fail because the drive is locked.

 

You could find out more about using TPM by searching Steve Gibson's site grc.com. He has covered TPM during several episodes of Security Now!

 

I, however, do not understand your statement about not needing a USB key for the laptop because it has a TPM. As I recall, you still need the USB key to unlock BitLocker. The difference is that BitLocker will use the TPM to provide enhanced security. I should probably go back and review Steve's podcasts myself.

Link to comment
Share on other sites

I found a pretty nice article on BitLocker, with and without TPM. There is a scenario where you don't need a PIN or USB key to authorize the TPM to unlock the drive. Now that I think about it, I believe I thought you needed a USB key because the other method was simply not recommended.

 

So, you could use TPM on the laptop with a USB key (presumably the same key you use for the other systems). Bear in mind, if something happens to the laptop, you will not be able to remove the hard drive and read it on another system... at all. 'Course, neither will anyone else, which is the point after all.

 

Or, you could just use BitLocker on the laptop and not bother with the TPM at all.

Link to comment
Share on other sites

I found a pretty nice article on BitLocker, with and without TPM. There is a scenario where you don't need a PIN or USB key to authorize the TPM to unlock the drive. Now that I think about it, I believe I thought you needed a USB key because the other method was simply not recommended.

 

So, you could use TPM on the laptop with a USB key (presumably the same key you use for the other systems). Bear in mind, if something happens to the laptop, you will not be able to remove the hard drive and read it on another system... at all. 'Course, neither will anyone else, which is the point after all.

 

Or, you could just use BitLocker on the laptop and not bother with the TPM at all.

 

Thanks for the great information! I "think" you can't encrypt the OS drive with bit locker unless you have a TPM. There are group policy settings that sound like they will allow you to bypass that limitation - but they didn't work for me.

http://www.pctips3000.com/how-to-enable-bitlocker-without-tpm-chip-in-windows-7/

 

I have noticed you can do a full drive encryption using ubuntu server during the installation wizard. It does require you to put in the encryption password every time you start the system. So far that's the best option I've come up with.

Link to comment
Share on other sites

Ok, that makes sense. Now what happens when you were using the TPM and a usb key. The motherboard fails, how do you retrieve the data on that drive without the TPM since that motherboard died.

 

Drive encryption scares me. I want to secure my sensitive data (tax returns..) but fear that I will forever lock myself out. I have been reading quite a bit about bitlocker and see you set up a recovery password. I assume with that recovery password, if my NON TPM enabled bitlocker drive is removed from a failing computer, I could recover the info...right?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...