Owner's Manual
Trusted Platform Module (TPM) and BitLocker Support 57
Trusted Platform Module (TPM) and
BitLocker Support
A TPM is a secure microcontroller with cryptographic capabilities designed to
provide basic security
-related functions involving encryption keys. It is
installed on the motherboard of your system, and communicates with the rest
of the system using a hardware bus. You can establish ownership of your
system and its TPM through BIOS setup commands.
TPM stores the platform configuration as a set of values in a set of
Platform Configuration Registers (PCRs). Thus one such register may store,
for example, the motherboard manufacturer; another, the processor
manufacturer; a third, the firmware version for the platform, and so on.
Systems that incorporate a TPM create a key that is tied to platform
measurements. The key can only be unwrapped when those platform
measurements have the same values that they had when the key was created.
This process is called
"sealing" the key to the TPM. Decrypting it is called
"unsealing". When a sealed key is first created, the TPM records a snapshot of
configuration values and file hashes. A sealed key is only
"unsealed" or
released when those current system values match the ones in the snapshot.
BitLocker™ uses sealed keys to detect attacks against the integrity of your
system. Data will be locked until specific hardware or software conditions
are met.
BitLocker mitigates unauthorized data access by combining two major
data
-protection procedures:
•
Encrypting the entire Windows
®
operating system volume on the hard
disk:
BitLocker encrypts all user files and system files in the operating
system volume.
•
Checking the integrity of early boot components and the boot
configuration data:
On systems that have a TPM version 1.2, BitLocker
leverages the enhanced security capabilities of the TPM and ensures that
your data is accessible only if the system’s boot components are unaltered
and the encrypted disk is located in the original system.