I learned that users can enable BitLocker on an operating system drive without a TPM. In this case, how does the authentication process work? What authentication mechanisms are supported by BitLocker? Which one should I choose? Looking forward to your reply. Thanks in advance.
Sure, I’m glad to answer your questions. Pre-boot authentication with BitLocker refers to the process of confirming your identity before entering the system. It is designed to avoid the computer being maliciously tampered with and resulting in a data leak. The specific implementation mechanisms include TPM, password, USB key, and their combinations. Let's take a look.
Using TPM is the default BitLocker authentication mechanism. In this way, you can boot your computer as usual only if you don't perform any actions that trigger recovery mode. This process is transparent to users. In other words, if the boot process is normal, you don't need to take any action. However, if your computer is physically lost, the data stored on it will become insecure even if it was encrypted with BitLocker. To address this issue, we need to add an additional authentication factor.
When turning on BitLocker for the operating system drive without TPM, we can use either a password or a startup key stored on a USB flash drive for authentication. After following the steps outlined in the post to configure it, we need to input the password or insert the USB flash drive containing the startup key to verify our identity and enter the system. The password may be cracked and the USB drive may be lost. To further increase data security, we need to combine these authentication factors.
When compared to TPM-only mode, encryption key isn't stored solely on the TPM chip, and part of it is stored on the USB flash drive. Therefore, the USB drive is required to access the encrypted data.
In this way, users must enter a PIN to access encrypted data. This ensures the data is still secure even if the computer is stolen. Furthermore, to prevent brute-force attacks on the PIN, TPM also provides anti-hammering protection feature to mitigate this problem.
Under this security configuration, even if both your computer and the USB drive are lost, attackers can not access your data without the correct PIN. While this mode provides an extremely high level of security, user convenience may be compromised to some extent.
The more factors you apply, the more secure your data will be. However, overly complicated verification settings can interfere with your normal user experience. Therefore, we need to strike a balance between security and usability. Moreover, if you lose your authentication credentials, such as a password or a USB device containing the startup key, the only way to regain access to your data is by using a recovery key.
Choose an authentication mechanism that best suits your needs and use BitLocker to safely protect your data.
Your concern is justified. Though BitLocker drive encryption is safe and is seemed as highly secure safeguarding utility for data protection, it’s essential to set up a robust and unhackable BitLocker encryption password.
Lydia
BitLocker drive encryption is a feature that can better protect the data stored on the Windows OS. BitLocker can automatically recognize the built-in drive including system drive by default.
Lydia
Yes, BitLocker does have impact on computer performance. However, the percentage of performance decrease caused by BitLocker is only in single digits.
Lydia
Is it possible to recover data after it has been deleted from a BitLocker-encrypted drive? This post will provide the answer.
Benjamin
