This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am new to Bitlocker - I just built a new PC - it has a newer ASUS mb and a extra hardware TPM chip purchased separately. I have three internal drives in the machine. I am curious about a few things.
(I will of course have recovery keys saved and available for below situations - so you can assume they are always available for below questions)
1) if I encrypt all drives, what happens if Windows SOFTWARE fails and I need to reinstall windows? Can I just re-add these encrypted drives to the new Bitlocker enabled Windows install since I have the keys?
2) What happens if the HARDWARE fails (motherboard, drive, TPM chip)?
3) Do I need to encrypt all drives or can I encrypt one or two?
4) What is the functional difference between a system with the hardware TPM chip vs just the software based Bitlocker?
thank you everyone!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
4) "TPM chips vs software" - you are confusing things. With a TPM chip, the encryption is still software based. The TPM does not encrypt or decrypt. It stores the cryptographic keys and releases them to RAM if certain conditions are met (system is still using the same hardware, same bios, same boot device, same hard drive, same secure boot state).
To use hardware based encryption, you would need to do more steps (which require you to reinstall windows, by the way) and your only benefit would be a slightly better storage performance, not more security.
...continued... (silly limit of 1000 characters!)
So what is the big thing about the TPM requirement? It's this: without a TPM, you would be using a password. Passwords as keys are only considered secure when very long (20 characters and up). Would you like to enter 20 characters (or more) each time the machine starts and later enter a user password as well? i don't think so.
The TPM allows to use Bitlocker passwordless (still, there is a very strong key inside the TPM, which gets only released to RAM when... (see above)).
It would also allow you to use a PIN (only 6 digits), which would still allow strong security because you now have pre-boot authentication setup. Only him who knows the PIN will be allowed to make the TPM release the key.
Even more advantages: a password can not only start the system, but also decrypt it. A PIN cannot. So you may give the PIN to your sister so she can start the computer (but she won't be able to decrypt it).
Obviously, have TPM is better than don’t have, all aspects are advantages.
The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
• Hardware root of trust for measurement.
• Key used only when boot measurements are accurate.
More information here:
How Windows uses the TPM - Microsoft 365 Security | Microsoft Learn
https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for the reply!
im set with answer 1-3, they helped!!
Number 4 however I still have the initial question...i know the TPM chip isn't necessary, but i have one installed; what im asking is - what is the actual functional differences between having the physical TPM chip vs only having the software based Bitlocker. (pros/cons)
Thanks!
awesome link and info, Thank you!
Do the keys stop working if the TPM hardware (chip) fails? What happens in that case?
Sorry, i didn't quote all content of Microsoft document then let you misunderstand. The complete content you could go to link for check:
for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way.
No, your BitLocker recovery key and password don’t depend on TPM. When TPM broken, you even could insert your hard drives into another computer and use recovery key for decrypt or unlock.
If you resolved it using our solution, please click "Accept Answer" on a reply to help other community members find the helpful reply quickly.