0

I plan to implement Bitlocker encryption on my devices, but I wonder how to achieve the highest possible security against offline attacks.

I understood the following:

  • I can enable TPM based protection only, which ensures that the drive is encrypted by a key, which is encrypted by the key in the TPM chip
  • I could add a Startup PIN.

Does this key combine with the key stored in the TPM chip? Clearly having this startup PIN is not enough to decrypt the disk? I would assume so, but I'm unsure...

The same would be interesting for smartcard-authentication. Is there still a second part used from the TPM chip?

Anders
  • 64,406
  • 24
  • 178
  • 215
Jessi
  • 3
  • 1

1 Answers1

-1

In all cases where multiple components are used for BitLocker, there is the possibility of them all being required, and this tends to be the default. This means that combinations of TPM and PIN or TPM and physical key contribute to the composite key used to protect the drive encryption key.

Therefore, unless you specified otherwise (there is a possibility for having just TPM while domain joined, and TPM+PIN if disconnected), you would need either both the TPM and the PIN to be provided, or the full recovery key to be provided, to be able to decrypt the drive. Each of these allows for the decryption of the drive encryption key, which is then used to decrypt the actual data on the drive.

Matthew
  • 27,233
  • 7
  • 87
  • 101