Will setting a BIOS Password Protect the TPM?

Question

I have Windows 10 on a Dell Precision Laptop, Bitlocker Drive Encryption set up for my system drive with TPM only and I do not want 20-number long PIN, but I want a password (like I had in TrueCrypt, but it doesn't support GUID partitions so I can't use it).

If I set a BIOS password and my computer is stolen and the thief resets somehow the BIOS password, will this get "red flagged" by the TPM and require the Bitlocker key?

score 4 · Answer 1 · answered Jul 06 '16 at 17:06

Okay, so, after some more searching I solved my problem:

Bitlocker does allow you to use an actual password (but they call it a PIN) - can't be more than 20 characters, but that's still pretty good.

RUN > gpedit.msc Select: Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives

Double click "Require additional authentication at startup" Select ENABLE at the top Under "Configure TPM and Startup PIN" drop-down menu, select "Require Startup PIN with TPM" > Click Okay

Double click "Allow Enhanced PINs for Startup" Select "Enabled" > Click Okay

Run CMD as an Administrator

Enter: manage-bde -protectors -add c: tp

*Change C to whatever the drive letter your system drive is

Now, enter the password you want, can be letters, numbers, symbols, uppercase, lowercase, etc. 20 characters max.

This worked for me and now I'm happy to be secured behind a 20 character actual password and not just 20 numbers.

This data should really be more available from Windows to make it more user-friendly, so hopefully this helps you.

score 2 · Answer 2 · answered Jul 04 '16 at 15:32

2

The point is that with Bitlocker you don't have to enter a PIN when you have TPM, because the TPM does it for you.

So, if someone would steal your laptop, and just opens it, no Bitlocker password required and the only thing between you and your data is that weak useless Windows Account password.

However, if someone does alter your PC's hardware, or bootloader, or takes the disk out to put it in another PC, the TPM will indeed see it, and a Bitlocker key is required.

Because the TPM makes a kind of 'hash' of all your hardware- and firmware-identifiers, if in this case the firmware (password) is altered, the hash won't be the same, and TPM would spot an issue.

answered Jul 04 '16 at 15:32

O'Niel

2,740
3
17
28

1

Considering that + the proven TPM bypasses, I'd stick to TrueCrypt. – Overmind Jul 05 '16 at 09:23
@Overmind Yep, TrueCrypt is as secure as your passphrase. However, I personally prefer LUKS or VeraCrypt though. – O'Niel Jul 05 '16 at 12:03
I was planning to compile my own version of TC, but that had to be postponed at the moment. – Overmind Jul 05 '16 at 12:06
Would love to stick with TrueCrypt, however, no GUID Partition Support. – Russell Jul 06 '16 at 16:03

score 0 · Answer 3 · answered Jul 06 '16 at 17:35

0

A firmware password has no effect on the TPM. If you desolder the TPM chip, fake the entire boot process to extend its PCRs to the legitimate values it would've seen if it was in the original system, and it'll release its secrets.

If you want protection you need to use something that is enforced by the TPM itself and not the system firmware.

answered Jul 06 '16 at 17:35

André Borie

12,706
3
39
76

Could you please give more information on how someone might bypass the tpm on a system like this? – clownfish Jan 25 '17 at 11:29
1

Are you sure anyone has sucessfully faked the preboot measurements to trick the TPM to release the keys? – fjch1997 Jul 07 '19 at 03:44

Will setting a BIOS Password Protect the TPM?

3 Answers3

Linked