Cannot enable device encryption in Windows 10

[Scruffy90]

I am trying to enable device encryption, but realize that they settings > Windows update > Device encryption tab is no longer available since upgrading to ryzen. 

 

When I check system info, I get the following:
 

Does that mean my current cpu/mobo doesn't support it?

[Eigenvektor]

2 minutes ago, Scruffy90 said:

Does that mean my current cpu/mobo doesn't support it?

Pretty much, yes. The TPM (Trusted Platform Module) on the system's motherboard doesn't support required features.

[Scruffy90]

1 minute ago, Eigenvektor said:

Pretty much, yes. The TPM (Trusted Platform Module) on the system's motherboard doesn't support required features.

Hmm. Is there a way for me to find out if it does? Is that something that would be listed in the manual for the mobo?

Edit: noticed that x570 boards have ftpm. Is that worth using?

[kirashi]

5 minutes ago, Scruffy90 said:

I am trying to enable device encryption, but realize that they settings > Windows update > Device encryption tab is no longer available since upgrading to ryzen. 

 

When I check system info, I get the following:
 

Does that mean my current cpu/mobo doesn't support it?

 

 

According to the following Windows Answers thread, the error you're seeing can either mean your motherboard doesn't have a TPM chip at all, or it doesn't want to communicate with Windows / BitLocker for one reason or another, possibly because it's not supported.

https://answers.microsoft.com/en-us/windows/forum/all/pcr7-configuration-binding-not-possible/ba7aeb33-b1cb-459e-a3e8-c0ad0a17975f?auth=1

 

1 minute ago, Scruffy90 said:

Hmm. Is there a way for me to find out if it does? Is that something that would be listed in the manual for the mobo?

 

 

Usually most motherboards do specific whether or not they have a TPM chip in the manual or on the product specification website.

[Eigenvektor]

4 minutes ago, Scruffy90 said:

Edit: noticed that x570 boards have ftpm. Is that worth using?

Depends: https://superuser.com/a/1411062

Sounds like it would be a bit of a pain on firmware updates

[Oshino Shinobu]

@Scruffy90 Assuming this is the motherboard in your signature, your motherboard doesn't have a TPM chip, which is required. 

 

It does have a SPI TPM header, which allows you to plug in a TPM chip. Asus sells TPM chips https://www.asus.com/Motherboard-Accessories/TPM-SPI/

 

Other manufacturers like ASRock also sell them, though I don't know if they're compatible with anything other than their own motherboards. I'd expect them to work as long as it uses the SPI interface. 

[Scruffy90]

3 minutes ago, Oshino Shinobu said:

@Scruffy90 Assuming this is the motherboard in your signature, your motherboard doesn't have a TPM chip, which is required. 

 

It does have a SPI TPM header, which allows you to plug in a TPM chip. Asus sells TPM chips https://www.asus.com/Motherboard-Accessories/TPM-SPI/

 

Other manufacturers like ASRock also sell them, though I don't know if they're compatible with anything other than their own motherboards. I'd expect them to work as long as it uses the SPI interface. 

You are correct, it is the one in my sig. This is good to know. I guess the question now becomes, is it worth getting one for my mobo.

[Oshino Shinobu]

2 minutes ago, Scruffy90 said:

You are correct, it is the one in my sig. This is good to know. I guess the question now becomes, is it worth getting one for my mobo.

They seem to be around £10/$15 from what I can find, so not like it's a massive investment. 

 

Still, don't know what happens if the TPM chip dies. If it means you lose all your data, it's not worth the security benefits as there's open software options that can achieve similar end results. 

[Scruffy90]

16 minutes ago, Oshino Shinobu said:

They seem to be around £10/$15 from what I can find, so not like it's a massive investment. 

 

Still, don't know what happens if the TPM chip dies. If it means you lose all your data, it's not worth the security benefits as there's open software options that can achieve similar end results. 

That is something I overlooked. Guess I would have to research what happens if the TPM chip dies

[Scruffy90]

54 minutes ago, Oshino Shinobu said:

They seem to be around £10/$15 from what I can find, so not like it's a massive investment. 

 

Still, don't know what happens if the TPM chip dies. If it means you lose all your data, it's not worth the security benefits as there's open software options that can achieve similar end results. 

So I looked into it and any keys stored in that tpm chip and any info that isn't backed up when it fails or breaks is gone. Not sure if I want to entirely risk that on something that wasn't built directly onto the mobo.

 

Guess the alternative is a software solution. 

[Eigenvektor]

41 minutes ago, Scruffy90 said:

That is something I overlooked. Guess I would have to research what happens if the TPM chip dies

Since it contains the keys needed for decryption, your data is gone. That's kind of the point of having a tamper proof chip that contains the keys, you can't access the data without it. So having (encrypted) backups would be a requirement. Naturally, they should be encrypted using a different method.

 

Afaik Windows has some way to generate recovery keys, so you should definitely look into that.

~edit: https://superuser.com/a/1149852