User's Manual

ManualsBrandsDell ManualsSoftwareDell Update Packages Version 7.3

Trusted Platform Module and BitLocker Support

A Trusted Platform Module (TPM) is a secure microcontroller with cryptographic capabilities designed to provide basic

security‑related functions involving encryption keys. It is installed on the motherboard of the system, and communicates

with the rest of the system using a hardware bus. You can establish ownership of the system and its TPM using the BIOS

setup commands.

TPM stores the platform configuration as a set of values in a set of Platform Configuration Registers (PCRs). Thus one

such register may store, for example, the motherboard manufacturer; another, the processor manufacturer; a third, the

firmware version for the platform, and so on. Systems that incorporate a TPM create a key that is tied to platform

measurements. The key can only be unwrapped when those platform measurements have the same values that they had

when the key was created. This process is called

sealing

the key to the TPM. Decrypting is called

unsealing

. When a

sealed key is first created, the TPM records a snapshot of configuration values and file hashes. A sealed key is only

unsealed

or released when those current system values match the ones in the snapshot. BitLocker uses sealed keys to

detect attacks against the integrity of the system. Data is locked until specific hardware or software conditions are met.

BitLocker mitigates unauthorized data access by combining two major data‑protection procedures:

• Encrypting the entire Windows operating system volume on the hard disk: BitLocker encrypts all user files and

system files in the operating system volume.

• Checking the integrity of early boot components and the boot configuration data: On systems that have a TPM

version 1.2, BitLocker leverages the enhanced security capabilities of the TPM and ensures that the data is

accessible only if the boot components of the system are unaltered and the encrypted disk is located in the

original system.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS. A compatible TPM is defined as a

version 1.2 TPM. A compatible BIOS supports the TPM and the Static root of Trust Measurement. BitLocker seals the

master encryption key in the TPM and only allows the key to be released when code measurements have not changed

from a previous secure boot. It forces you to provide a recovery key to continue boot if any measurements have

changed. A one‑to‑many BIOS update scenario results in BitLocker halting the update and requesting a recovery key

before completing boot.

BitLocker protects the data stored on a system through

full volume encryption

and

secure startup

. It ensures that data

stored on a system remains encrypted even if the system is tampered with when the operating system is not running and

prevents the operating system from booting and decrypting the drive until you present the BitLocker key.

TPM interacts with BitLocker to provide protection at system startup. TPM must be enabled and activated before it can

be used by BitLocker. If the startup information has changed, BitLocker enters recovery mode, and you need a recovery

password to regain access to the data.

NOTE: For information on how to turn on BitLocker, see the Microsoft TechNet website. For instructions on how to

activate TPM , see the documentation included with the system. A TPM is not required for BitLocker; however, only

a system with a TPM can provide the additional security of startup system integrity verification. Without TPM,

BitLocker can be used to encrypt volumes but not a secure startup.

NOTE: The most secure way to configure BitLocker is on a system with a TPM version 1.2 and a Trusted Computing

Group (TCG) compliant BIOS implementation, with either a startup key or a PIN. These methods provide additional

authentication by requiring either an additional physical key (a USB flash drive with a system‑readable key written

to it) or a PIN set by the user.