Learn more about BitLocker Drive Encryption

Windows BitLocker Drive Encryption is a new security feature in this version of the Windows operating system that provides protection for data and operating system files stored on the Windows operating system volume of your computer. BitLocker guards this data if someone tampers with the computer's critical startup process. It is designed to use the Trusted Platform Module (TPM) security hardware to provide enhanced protection for your data and to protect early boot component integrity. Encrypting the entire Windows volume with BitLocker can help protect your data from unauthorized viewing, even in the event of physical attacks, such as the theft of the computer or removal of a hard disk.

BitLocker offers the most seamless end-user experience with systems that have compatible TPM security hardware and BIOS. To be compatible with BitLocker, computer manufacturers must follow standards defined by the Trusted Computing Group (TCG). For more information about the TCG, visit the Trusted Computing Group Web site (http://go.microsoft.com/fwlink/?LinkId=67440).

Important:

By default, the BitLocker setup wizard, which is started from Control Panel, enables BitLocker on computers with a compatible TPM. Other BitLocker features and options can be enabled by using Group Policy. BitLocker features can also be accessed by using a script.

On computers with a compatible TPM, BitLocker can be used in three ways:

• TPM-only. This is transparent to the user, and the user logon experience is unchanged. If the TPM is missing or changed, or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and you need a recovery password to regain access to the data.

• TPM with startup key. In addition to the protection provided by the TPM, a part of the encryption key is stored on a USB flash drive. This is referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.

• TPM with PIN. In addition to the protection provided by the TPM, BitLocker requires a PIN to be entered by the user. Data on the encrypted volume cannot be accessed without entering the PIN.

Without a TPM, BitLocker operates differently:

• Startup key only. All of the required encryption key information is stored on a USB flash drive. The user must insert the USB flash drive into the computer during startup. The key stored on the flash drive unlocks the computer.

  

  Important:

  When the computer does not have a TPM, all of the information required to read the encrypted volume is included in the startup key. Using a TPM enhances security by protecting against attacks made against the computer's critical startup process.

Additional References

• Windows BitLocker™ Drive Encryption Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=53779)

• Windows Trusted Platform Module Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?linkid=67232)