Why is TPM more secure than USB key for bit locker drive encryption?
I mean, if I take USB with me, then how could somebody decrypt drive without USB key with key stored on it?
what is considered "secure" with TPM in comparison to USB with key stored on it?
Hi,
Only thing i can think of is dropping a usb isn't good for them.
See this link: (explaining it is beyond my pay grade but it has the information on how bitlocker works with TPM to enhance protection)
https://docs.microsoft.com/en-us/win...ter%20security.
@zebal -
If you enable BitLocker on a W10 PC without a TPM, you can choose to create a USB startup key as part of the setup process.
The USB key will be used instead of the TPM.
One more thing...
If you have the Home version of W10, you won’t be able to use BitLocker.
You may use the Device Encryption feature instead, but this works much differently from BitLocker and will not allow you to provide a startup key.
FWIW.
Yes, what I don't get is what additional benefits there are in TPM, for example:
If I understood, when using TPM, boot partition as well as RE, System reserved and ALL partitions are encrypted, while if not using TPM then only only the OS partition is encrypted?
From this portion
It makes sense if entire drive is encrypted, including boot partition then how could OS boot? does TPM encrypt boot partition and RE as well?
I'm having difficulties finding in the docs what I ask, for example it sais:
"BitLocker provides full-volume encryption to protect data at rest."
full volume does not mean full disk AFAIK, docs seem to imply this, there is no exact explanation or difference explained between TPM and USB method as to what is encrypted in either case.
@zebal -
This should do it, I hope:
https://docs.microsoft.com/en-us/win...nistration-faq
Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data.
The encrypted sectors in the BitLocker protected drive are decrypted only as they are requested from system read operations.
Blocks that are written to the drive are encrypted before the system writes them to the physical disk.
No unencrypted data is ever stored on a BitLocker protected drive.
@Compumind
Q\A which you quote is something else, but what I'm looking for is the following (from the docs)
Can BitLocker encrypt more than just the operating system drive?
Yes.
All it says is "Yes", but I really want to know more and what is the default for TPM vs USB when it comes to what volumes are encrypted?
Quote