Using Bitlocker with TPM

Question

Using Bitlocker with TPM

jelfer 6

I searched a lot but found no answer to these questions...if I encrypt windows 10 with bitlocker and I have TPM activated:

do I need to input the password at boot?
Is the password stored in the TPM?
Is the decryption key stored in the TPM?
what gets stored in the TPM?
Is it safer to use bitlocker with TPM or without it?

0 comments

4 answers

Your answer

Answer 1

MTG 1,261

It works this way:

An attacker who gets his hand on your disk would try to use passwords lists and/or brute forcing. If you use a "good" password (let it be 15 characters long), it would fall in maybe far less than a year depending on the computing powers the attacker has access to.
However, if you use the TPM alone (no PIN), the attacker would have no password (or PIN) to run these brute forcing attacks against. He would have to attack the key itself, which is very very long (no chance for brute forcing).

If you use Bitlocker with TPM+PIN, the situation is almost the same: the attacker can however try to guess your PIN. The PIN by default is at least 6 digits long which does not seem to be safe, but in fact, it is, since there is a limitation to the number of tries: the TPM locks after 32 incorrect attempts - locks for good. With a locked TPM, the attacker would be left with the chance to brute-force the recovery password. The recovery poassword is not set by the user, but by windows and it's long: 48 digits. The chance to brute force this in the next few years (no matter what computing powers the attacker has) are zero.

About conspiracy: there are people that don't trust the TPM technology itself. They say, Intel (makers of the TPM of many models) wants access to the keys in order to sell them to the FBI and such wild ideas.

jelfer 6 Reputation points

2021-08-19T20:39:44.423+00:00
if you use the TPM alone (no PIN), the attacker would have no password (or PIN) to run these brute forcing attacks against.

if i run TMP alone (no pin and no password) isn't the disk and operating system accessible to anyone who has access to it?

My final question:

what is it safer to use?

a strong password (20+ characters) without TMP
or

TPM with PIN (I'd never use PIN though) or medium strong password(10-15 characters)
or

TPM with strong password (20+ charachters)
MTG 1,261 Reputation points

2021-08-20T07:17:24.107+00:00

To compare levels of safety, you would need numbers.

So let's say you set a password with at least 20 characters, possibly using special characters, numbers, capital letters and so on. The number of possibilities is gigantic, so it's safe to say, an attacker would take years, no matter how much computing power he uses, unless your password is on a list of passwords that people frequently use, like Passwordpassword1234! - then it would be found. If not: it's safe.

a TPM with PIN would be very safe is well, but you'd never use that for whatever reason. I strongly recommend to use that, as it is much nicer to enter an 8 digit PIN than a 20+ character password and surely, the PIN method would be at least as safe as the 20+ pw and surely safer than a pw with 10-15 characters.

TPM+password is not allowed. You can only use TPM or password.

Answer 2

MTG 1,261

do I need to input the password at boot?
->That depends what you set. You may choose not to require to enter anything or you may choose to set up a PIN (most secure option)
Is the password stored in the TPM?
-> No. The TPM stores the encryption key, not the PIN. It releases the PIN if you enter the correct PIN (that is, if you chose to setup a PIN in the 1st place)
Is the decryption key stored in the TPM?
->Yes
what gets stored in the TPM?
->The encryption key and some metrics which the TPM uses to decide whether the computer is still in a state of settings that are deemed secure to release the key to
Is it safer to use bitlocker with TPM or without it?
->Unless you believe in conspiracy theories, it's surely safe to use the TPM

jelfer 6 Reputation points

2021-07-15T15:29:54.05+00:00
thanks! but:

How is a PIN safer than a long alphanumeric double case multiple symbols password????

if the TPM (when used) stores the encryption key, where does the encryption key get stored in a setup where the TPM isn't used? Is it safer to use bitlocker with TPM or without it?
->Unless you believe in conspiracy theories, it's surely safe to use the TPM
----> sorry what conspiracy theories (I'm just curious) and can you tell me if using the TPM is SAFER than not using it or not using the TPM is just very safe as long as you have a strong password and don't store the encryption key in an easily reachable place.

Answer 3

Maciej Molski 1

Hey guys, I see you were talking about subject that is on my mind.
I'm wondering: what if I encrypt computer with bitlocker, but don't set PIN to unlock it? Just "unlock upon logon".
How does this work? Let's assume that someone snatched this laptop or PC nad has full access to it. Doesn't have to remove hard drive, has all the time he wants.
Disk is encrypted but without any additional PIN or other forms of authentication. Just user login screen.
So can he somehow get to the data because there is no PIN code?

MTG 1,261 Reputation points

2022-06-07T08:54:26.733+00:00

As said: If you use the TPM alone (no PIN), the attacker would have no password (or PIN) to run brute forcing attacks against. He would have to attack the key itself, which is very very long (48 digits, no chance for brute forcing). And at the logon screen, password hammering is also impossible.
Now you might ask "if that is so secure, why doesn't everybody use it that way?"
The reason is: with TPM alone, the encryption key is loaded to RAM and allows for so-called "cold boot attacks" that attackers could carry out. https://www.youtube.com/watch?v=JDaicPIgn9U explains it.

Answer 4

HI
@jelfer
First of all, you have to know that because TPM is on the motherboard.
There are two scenarios.
First one. Whilst some motherboard don't equip with TPM, the CPU or System support the motherboard to virtually simulate one, then where the simulated TPM is, in partition or Bios? I presume in partition because bios can be cleared when un-plugged
Second one. TPM is originally added on motherboard.

From my point of view, to answer your questions below.

if I encrypt windows 10 with bitlocker and I have TPM activated:

do I need to input the password at boot?

Yes, you need, after you encrypt one partition, you need to save the recovery key. and every time at the beginning of boot, you need to input the password of bitlocker

Is the password stored in the TPM?

TPM stores SRK (storage root key), I think the partition carries one, because When moving one disk with bitlocker from old pc to new pc. it will trigger the recovery mode, if you have the recovery key, you can unlock the recovery mode.

Is the decryption key stored in the TPM?

To decrypt a partition we need the recovery key only. as the case above, we can also decrypt that disk on another PC without that TPM.

what gets stored in the TPM?

TPM stores SRK (storage root key), and PCRs (platform Configuration Registers)

Is it safer to use bitlocker with TPM or without it?

yes it is, but bitlocker only protect offline attact, like you lost your laptop. it can't protect online attack, like download some files with virus.

How is a PIN safer than a long alphanumeric double case multiple symbols password????

Here is my observation. PIN is used to replace your Microsoft password when entering in windows with your Microsoft Account. Local account can set pin blank.
Microsoft Password is used when you do not set PIN or other options to log in. In this Phase the system boot to win logon.
Bitlocker Password is used to boot, it is shown at the beginning of boot, In this Phase the system is just get initiated
For me, I need to input bitlocker password and Account Password too when startup.

if the TPM (when used) stores the encryption key, where does the encryption key get stored in a setup where the TPM isn't used?
As to this question, could you please describe it with exact example?

Hope this can help you
If your need further help, be free reply to me at your convenience.

==============================================================================

If the Answer is helpful, please click "Accept Answer" and upvote it

Share via

Using Bitlocker with TPM

4 answers

Your answer