Overview
There are three authentication mechanisms that can be used as building blocks to implement BitLocker encryption:
- Transparent operation mode: This mode utilizes the capabilities of Trusted Platform Module (TPM) 1.2 hardware to provide for a transparent user experience—the user powers up and logs onto Windows as normal. The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this by implementing a Static Root of Trust Measurement—a methodology specified by the Trusted Computing Group. This mode is vulnerable to a cold boot attack, as it allows a powered-down machine to be booted by an attacker.
- User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in the form of a pre-boot PIN. This mode is vulnerable to a bootkit attack.
- USB Key Mode: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment. This mode is also vulnerable to a bootkit attack.
- Recovery password: A numerical key protector for recovery purposes
- Recovery key: An external key for recovery purposes
- Certificate: Adds a certificate-based public key protector for recovery purposes
- Password: Adds a password key protector for a data volume
The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
- TPM only
- TPM + PIN
- TPM + PIN + USB Key
- TPM + USB Key
- USB Key
Read more about this topic: Bit Locker Drive Encryption