Bitlocker, Yubikey and TPM?

Hi,

I want to protect the data stored on the hard disk drives of my PC.

The purpose is:

* to prevent someone physically accessing my PC and pluging a bootable USB stick from reading/modifying the content of my HDDs
* to prevent someone from reading/modifying the content of my HDDs if they physically pull my HDDs out of my PC and put them in another PC

1/ I think Bitlocker is the way to go: it's free and already built-in Windows.
I already gave Bitlocker a try on another older PC and I like it but in order to guarantee a strong level of security, Bitlocker must use a strong password, which is a pain to remember and a pain to type each time the PC boots. Not to mention I will have to type this PW every time I want to open a bitlocked partition (all partitions will be bitlocked).

2/ This is why I plan to buy a Yubikey, but I'm not sure I can have it working the way I want.

What I want is: everytime I boot the PC I have to plug the Yubikey in a USB port of my PC so that Bitlocker is automatically unlocked without the hassle of typing a Password. And when I open File Explorer, I can open every bitlocked partitions just like if they were not encrypted with Bitlocker as long as my Yubikey is still plugged in.

Can you tell me if it's doable? I find most of Yubikey tutorials being hard to understand and before I choose to buy a pair of these, I want to make sure it will work as expected.

3/ I also have concerns about TPM. This subject is a bit unclear to me as well. I read this thread, but still didn't manage to perfectly understand it: Verify Trusted Platform Module (TPM) Chip on Windows PC

I have an Asus Prime TRX40-Pro S mobo, with a AMD Threadripper 3990X cpu. Here is what the Powershell get-tpm command says:



My question is: say in the future I replace my motherboard, or I replace my cpu. Will I still be able to read the content of my Bitlocked HDDs? (as I guess by replacing these hardware components, the TPM keys will change as well)
Or, which is a bit the same, if I pull out the HDDs of my PC and I plug them into another PC, will I be able to read them?
Given I have the Yubikey of course.

It's an interesting but hard topic to me so I hope all of this makes sense

Thank you in advance for your answers,


Windows 10 Pro version 21H1 (OS Build 19043.928). I am currently installing Windows and the PC is not connected to internet yet, this is why Windows is not up to date yet.

hi,

1) Yes.

2) Bitlocker has native support for that no need for third parties.

3) Any TPM Know or unknown to the drives can be used as long as you have your Recovery key.

Thanks @MaloK,

1) I activated Bitlocker on my 2 internal drives and I backed up the recovery keys on a USB stick.
Now when I boot my PC both drives are automatically unlocked: is it because the TPM "recognizes" them?
What if I put them into another PC? Will they still be automatically unlocked or will I be prompted to enter their Recovery key?
(I can't try it myself as my other PC doesn't have M.2 ports)


2) My goal is to add 2FA to open my Windows session. Currently my session opens with providing a password only: it is 1FA, eventhough Bitlocker is enabled. This is why I'm considering buying a Yubikey.

What native support are you talking about?


3) Thanks, it makes sense.

4) Another question pops-up in my mind: now my drives are automatically decrypted, that's fine.

But will they also be automatically decrypted when my PC runs another OS? For example if someone runs a Linux distribution on a USB stick? I don't want that.

Thank you again,

Hi,

1) yes they are and no the drives won't decrypt without the key on another computer. And wont be unlocked if you enable 2FA.

2) to require 2FA follows How to Use a USB Key to Unlock a BitLocker-Encrypted PC

4) Linux has Bitlocker support, (but as Windows you will need your key) to mount and access these under Linux too.

Thanks a lot @MaloK,

Now everything makes sense :))