a few bitlocker real world questions

D J 21 Reputation points
2021-04-24T00:28:34.087+00:00

I am new to Bitlocker - I just built a new PC - it has a newer ASUS mb and a extra hardware TPM chip purchased separately. I have three internal drives in the machine. I am curious about a few things.

(I will of course have recovery keys saved and available for below situations - so you can assume they are always available for below questions)

1) if I encrypt all drives, what happens if Windows SOFTWARE fails and I need to reinstall windows? Can I just re-add these encrypted drives to the new Bitlocker enabled Windows install since I have the keys?

2) What happens if the HARDWARE fails (motherboard, drive, TPM chip)?

3) Do I need to encrypt all drives or can I encrypt one or two?

4) What is the functional difference between a system with the hardware TPM chip vs just the software based Bitlocker?

thank you everyone!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,135 questions
{count} votes

Accepted answer
  1. Teemo Tang 11,021 Reputation points
    2021-04-26T02:39:52.54+00:00

    Obviously, have TPM is better than don’t have, all aspects are advantages.
    The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
    • Hardware root of trust for measurement.
    • Key used only when boot measurements are accurate.

    More information here:
    How Windows uses the TPM - Microsoft 365 Security | Microsoft Learn
    https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

4 additional answers

Sort by: Most helpful
  1. Pavel Yannara Mirochnitchenko 6,911 Reputation points
    2021-04-24T06:39:17.267+00:00
    1. You don't need to re-encrypt other drives, but make first sure you have all recovery keys saved. If you use MS live account with Windows 10, recovery keys should be escrowed there.
    2. You will need to provide recovery key or delete partitions during new Windows setup.
    3. You can select (I assume you are a home user)
    4. TPM is not absolutelly required, you can use Password for Bitlocker if you don't have TPM hardware. This feature was introduced in Windows 8.
    No comments

  2. D J 21 Reputation points
    2021-04-25T23:09:45.427+00:00

    Thanks for the reply!

    im set with answer 1-3, they helped!!

    Number 4 however I still have the initial question...i know the TPM chip isn't necessary, but i have one installed; what im asking is - what is the actual functional differences between having the physical TPM chip vs only having the software based Bitlocker. (pros/cons)

    Thanks!

    No comments

  3. D J 21 Reputation points
    2021-04-26T02:45:34.227+00:00

    awesome link and info, Thank you!

    Do the keys stop working if the TPM hardware (chip) fails? What happens in that case?


  4. Teemo Tang 11,021 Reputation points
    2021-04-26T02:49:18.837+00:00

    No, your BitLocker recovery key and password don’t depend on TPM. When TPM broken, you even could insert your hard drives into another computer and use recovery key for decrypt or unlock.