BitLocker on non-system partition

I know that nowadays passwords are indispensable for keeping other people away from my precious data, but sometimes it gets really frustrating typing them again and again, so I seize every option that offers me the same level of security without having to remember a new password. My laptop has a TPM chip built into it so when I was looking for an encryption software to keep my valuable private data safe in that unfortunate case when I lose my laptop or it gets stolen, I choose a solution that can leverage the TPM’s functionality.

BitLocker is a full disk encryption software by Microsoft that is bundled with every higher-grade versions of the Windows operating systems since Vista. In encrypts a whole disk partition which then can be decrypted typing a password (called PIN in BitLocker terminology), inserting an external USB drive, using the key stored in the TPM hardware or the combinations of two or all three of them. I choose the TPM-only authentication mode, that works transparently without any user interaction as long as the hard disk remains in my laptop and it boots from it. If any part of the pre-boot environment changes BitLocker will refuse to decrypt the drive. Please note that TPM-only authentication mode is not recommended because it is vulnerable to some kind of cold-boot attacks. These attacks all have in common that they require that my laptop is still running when the attacker acquires it. I decided to take this risk for the convenience.

My laptop has two hard drives: an SSD (primary volume) on which only the operating system and program files reside for faster system and software startup times, and a standard HDD (secondary volume) for all the data, my documents, source codes, photos, etc. My original intention was to enable BitLocker only on this secondary partition, because the system partition does not contain any sensitive information and the encryption would have some minimal performance overhead.

While setting up the BitLocker drive encryption using the built-in wizard of Windows 8 Pro that is installed on my notebook, I noticed with a great surprise that no TPM-only option was present on the authentication-mode selection screen. I double checked that the TPM hardware is functioning properly, so I started digging up the internet for a solution or an explanation.

As it turned out, this is because the way TPM and BitLocker operate together by forming a chain of protection. TPM protects (detects any change to) the pre-boot environment which consist of the computer hardware, firmware (including BIOS) and operating system boot loader. The boot loader protects the essential operating system files and the system partition if BitLocker is enabled. And finally, the system partition protects any other volumes. The key for the secondary partition is not stored in the TPM chip itself but somewhere on the system partition, so for the secondary volume to be decrypted automatically the system volume must be encrypted as well.

At the end I decided to encrypt both volumes, this time the TPM-only option was present for the secondary partition, too. Now my private data is safe on my hard drive without requiring to enter another password (besides Windows logon password of course, never have your operating system without any logon password, really, don’t). It’s worth noting that Windows 8 has a new BitLocker feature (at least I don’t remember seeing this on the Windows 7 computer at my workplace) that allows the user to encrypt only the currently allocated parts of the hard disk for the first time BitLocker is enabled. This is useful for newly purchased disk drives (like my new SSD) as it greatly reduces the time needed to enable BitLocker drive encryption.

Finally I got so much into data encryption, that I also BitLocked my USB flash drive. To be honest, there is much more chance to have that tiny flash drive lost or stolen than the laptop. Flash drives can only be decrypted with a password, however, there is a convenience option that they can be automatically unlocked on computers with BitLocker-enabled system volumes. With this option it is possible that my flash drive can be used on my laptop without any further action, but it requires a password on every other machines.

Leave a Reply

Your email address will not be published. Required fields are marked *

*