10-03-2016 09:49 AM
I have a fresh install of Windows 10 Pro (x64) on my X1 Yoga, installed in UEFI mode.
I wish to encrypt the drive with Bitlocker with TPM and PIN.
Another user on a different thread alluded that this is not possible as the X1 Yoga I have uses a PCIe-NVMe disk, for which there is no hardware support for Bitlocker.
Is this correct or am I confused?
10-03-2016 10:07 AM
I meant you cannot use the AES hardware engine of the NVMe SSD (if a SED like the OPAL2 option) - but you can use software BitLocker just fine. This means the CPU will have to do the crypto instead for some performance penalty depending on your I/O - see CPU utilisation during a benchmark for example.
Also do note that using FDE (full disk encryption) on a SSD is not "great" as the whole disk "looks full" to the SSD - so you may need to over-provision for best performance. You can also use "encrypt only used space" instead. There are pros and cons for each.
10-03-2016 10:18 AM
Your responses have been very helpful so I just like to say I appreciate them. :-)
I want to install BitLocker with the private keys being kept on the TPM and with a prompt on startup for PIN verification.
PIN and TPM.
So I actually did follow this guide:
It seemed to operate as intended, the BitLocker splash screen quried me to enter the PIN on startup. Success! (So I thought)
Just because I was quite paranoid, I wanted to confirm for certain that the TPM was actually being used to store the BitLocker private keys, so with a sledgehammer to crack a nut approach I cleared all keys stored in the TPM via the BIOS. To my suprise the machine booted up just fine and proceeded to the Windows Desktop Login screen.
I'm really confused by the whole ordeal, doesn't the "TPMAndPIN" option force the private keys to be stored on the TPM? Shouldn't my machine refuse to boot if the TPM Chip has had all the private keys cleared from its memory? Am I not configuring something properly?
10-03-2016 10:38 AM
Are you using the dedicated TPM 1.2 or the Intel PTT 2.0?
Can you try the Windows' TPM Admin - Clear TPM? I've never tried the BIOS Clear option so far. I believe the keys should indeed be stored in the TPM.
I did try moving an encrypted SSD around which did invalidate the keys - triggered recovey key.
10-03-2016 10:47 AM - edited 10-03-2016 10:50 AM
Have a read at this StackExchange question "What is the correct way to remove bitlocker secrets from a TPM when returning a device for warranty?" (not sure if allowed to link here but easy to find).
See this answer - bad news:
"I just tested this procedure on Surface Pro 2. What this actually does is "enable, activate, clear, enable, and active the TPM." I suppose the purpose is to clear everything but bitlocker keys. The device behaves exactly the same after clearing as before: Boots to bitlocker PIN prompt, enter prompt, Windows boots, bitlocker is shown as enabled. Clearing the TPM definitely does not clear the system volume bitlocker key from the TPM. "
That is definitely not how I understood that to be working either. If the BIOS does not clear TPM keys either then it's not good at all.
One other thing to try is to switch between 1.2 & 2.0 TPMs while perhaps also clearing both. Perhaps the switching of TPMs manages to kill the keys
10-03-2016 10:55 AM
Error in previous post, I cleared the TPM keys via the Windows workflow, which I assume reboots the machine in to some UEFI software where you are prompted to press "F9" to "clear" the TPM
Clearing the TPM contents in BIOS DEFINITELY DOES clear the TPM. After doing this I was prompted to enter the recovery passcode, so as I understand it Bitlocker is working correctly.
On an aside the documentation for Bitlocker and use with TPM / PTT is terrible.