I plan to implement Bitlocker encryption on my devices, but I wonder how to achieve the highest possible security against offline attacks.
I understood the following:
- I can enable TPM based protection only, which ensures that the drive is encrypted by a key, which is encrypted by the key in the TPM chip
- I could add a Startup PIN.
Does this key combine with the key stored in the TPM chip? Clearly having this startup PIN is not enough to decrypt the disk? I would assume so, but I'm unsure...
The same would be interesting for smartcard-authentication. Is there still a second part used from the TPM chip?