The risks of TPM?

[Mark Kaine]

With all the fuss about windows 11 im wondering how bad is that really…

So the keys are stored in the motherboard, or CPU…?

Then we can assume a lot of people will turn on bitlocker so they feel more secure… 

 

Ok and what happens when the motherboard or cpu breaks… they'll be locked out of their stuff as everything is encrypted with keys they cant retrieve?

 

I could even see this making issues without bitlocker, because  why not…

 

Is there something Im missing or did Microsoft really not think this through?

 

 

 

"or when the Bios ROM chip is replaced…"   

 

(taken from another thread)

[da na]

Bitlocker gives you what's called a recovery key, which is a string of characters (I forget how many but I believe it's 8 or 16). You're supposed to store it on OneDrive or another computer, and that will unlock your encrypted data if your TPM dies. Personally I've never encrypted my drives since I don't see a point in doing it, there's no reason for my drives to get stolen and if they are, there's nothing important on them. My main computer doesn't have a TPM, and will probably be running Windows 10 for the rest of its life since the built in Android support is really the only reason I would want to upgrade, and I already have emulators.

[Mark Kaine]

Just now, Mel0nMan said:

Bitlocker gives you what's called a recovery key, which is a string of characters (I forget how many but I believe it's 8 or 16). You're supposed to store it on OneDrive or another computer, and that will unlock your encrypted data if your TPM dies. Personally I've never encrypted my drives since I don't see a point in doing it, there's no reason for my drives to get stolen and if they are, there's nothing important on them.

 

That has been my understanding too.

 

But it says "or if the bios chip is replaced"

[Latvian Video]

Just now, Mel0nMan said:

Bitlocker gives you what's called a recovery key, which is a string of characters (I forget how many but I believe it's 8 or 16). You're supposed to store it on OneDrive or another computer, and that will unlock your encrypted data if your TPM dies. Personally I've never encrypted my drives since I don't see a point in doing it, there's no reason for my drives to get stolen and if they are, there's nothing important on them.

The only thing I have encrypted is my passwords, so if my pc dies, all my passwords are saved.

[Empire24453]

You can have TPM enable in the bios yes, I do and I do not see anything wrong with that. But regards Bitlocker in the system itself of windows is disable and I keep it disable  

[da na]

23 minutes ago, Mark Kaine said:

 

That has been my understanding too.

 

But it says "or if the bios chip is replaced"

Ah, as far as I know, many boards don't have replaceable BIOS chips anymore. I wonder if a reflash of the BIOS also causes the same issue.

[mr moose]

As I understand it, it isn't much different than other encryption tools except for the fact it is tied to your motherboard, therefore if you have a failure of motherboard/bios or even CPU (rare for CPU failure), then all your data is irretrievable.   Other than that it does not pose any other risks.  If you maintain a good backup strategy then it is more of an inconvenience risk than a data risk.  This is of course speaking about data that is average end user stuff and not confidential stuff that is work or government related.

[Tieox]

Even with a TPM module so far 11 does not force Bitlocker to be enabled does it?

[Mark Kaine]

8 minutes ago, Tieox said:

Even with a TPM module so far 11 does not force Bitlocker to be enabled does it?

No, but that isnt the question , the question is what happens when you use encryption apps that rely on TPM and your mobo / bios chip dies.  

As this is worded, you're out of luck then. "Or" always implies dependency, so "both" requirements must be full filled.  If you can just nilly willy change the bios chip (or cpu in some cases) then whats the point of an additional encryption layer to begin with?

 

Its just curious no one talks about this and people  assume it will "just work" apparently , when the very description of "TPM" says otherwise, will *not* work without the TPM "module" (wherever that is located)

[LickyLickyBumBum]

On 6/26/2021 at 3:08 PM, mr moose said:

As I understand it, it isn't much different than other encryption tools except for the fact it is tied to your motherboard, therefore if you have a failure of motherboard/bios or even CPU (rare for CPU failure), then all your data is irretrievable.   Other than that it does not pose any other risks.  If you maintain a good backup strategy then it is more of an inconvenience risk than a data risk.  This is of course speaking about data that is average end user stuff and not confidential stuff that is work or government related.

So if I change my motherboard or CPU,I'm toast. 200iq design

[A51UK]

On 6/26/2021 at 1:23 PM, Tieox said:

Even with a TPM module so far 11 does not force Bitlocker to be enabled does it?

I hope not, If it do force Bitlocker I would move to Linux. I do not like full HDD or SSD encryption on user systems as it total under need, overkill and big risk of data lose if something go wrong.

[Kilrah]

If you have a bitlocker-encrypted drive with TPM and the likes and change mobo all you have to do is enter your bitlocker recovery key once and you're done. You'd also have to reconfigure biometric and other digital authentications that rely on the TPM but certainly don't "lose everything".

 

Of course you need to store that recovery key safely and reliably.

[Mark Kaine]

1 hour ago, Kilrah said:

If you have a bitlocker-encrypted drive with TPM and the likes and change mobo all you have to do is enter your bitlocker recovery key once and you're done. You'd also have to reconfigure biometric and other digital authentications that rely on the TPM but certainly don't "lose everything".

 

Of course you need to store that recovery key safely and reliably.

i think the real issue is if the mobo just dies, or someone "forgets" it and sells the mobo (or cpu)

 

im not saying i totally understand how it works, i mean thats what im asking… but that seems pretty clear, if something  depends on that module and it becomes unusable, then that means trouble…

 

Thats also why i dont think they (ms) will actually  go through with this, but time will tell i guess. 

[Kilrah]

12 minutes ago, Mark Kaine said:

i think the real issue is if the mobo just dies, or someone "forgets" it and sells the mobo (or cpu)

As long as you've got your recovery key there's no problem. If you even have bitlocker enabled that is, otherwise there's literally nothing to do.

 

12 minutes ago, Mark Kaine said:

Thats also why i dont think they (ms) will actually  go through with this, but time will tell i guess.

Why wouldn't they? Some big brand OEM PCs have been delivered with bitlocker enabled out of the box for quite a while already and there hasn't been an outrage.

My Dell laptop that's 1.5 year old came with all security features including bitlocker pre-enabled, and the OOBE had you save the recovery key. 

 

...and going off to a tangent here, but if you're that worried it means you don't have proper backup procedures in place and you have something else to fix, regardless of any of this.

[Mark Kaine]

4 minutes ago, Kilrah said:

As long as you've got your recovery key there's no problem

um, no?

 

 

it says "or", and "cannot be restored" meaning if you lose that chip youre sol. 

 

 

[Kilrah]

Bad translation from mobo manufacturer, should be AND. If you change mobo AND have lost your recovery key then you lose access to the drive. OR doesn't even make any sense there.

[mr moose]

5 minutes ago, Kilrah said:

Bad translation from mobo manufacturer, should be AND. If you change mobo AND have lost your recovery key then you lose access to the drive. OR doesn't even make any sense there.

It reads to me that you need both the bios and the key.   

 

2 hours ago, LickyLickyBumBum said:

So if I change my motherboard or CPU,I'm toast. 200iq design

 

Not really. if you change your motherboard or CPU you can back up all your relevant data first.   Which you should be doing anyway. 

 

 

[Selle]

You can also find your recovery key by logging in with you account at microsoft.com

[Kilrah]

  

9 minutes ago, mr moose said:

It reads to me that you need both the bios and the key.   

Yes but as mentioned it's wrong, just bad translation/wording in that particular BIOS. I do use bitlocker and have moved drives across just fine.

 

The sentence doesn't even make sense, "when the recovery key is lost or the BIOS ROM chip is replaced" would mean you'd instantly lose your data should you ever lose a piece of paper with everything else still working properly. 

[Mark Kaine]

13 minutes ago, Kilrah said:

Yes but as mentioned it's wrong, just bad translation/wording in that particular BIOS. I do use bitlocker and have moved drives across just fine.

i mean if youre right then this is a lot less of an issue, but most people  seem to think otherwise. 

 

And i agree it makes no sense because  as said as soon your mobo breaks your encrypted data is toast, that would be a huge oversight…

 

21 minutes ago, Kilrah said:

I do use bitlocker and have moved drives across just fine.

Between different computers? And do you have tpm enabled? apparently  theres a method to use bitlocker without tpm. 

 

 

 

 

[DanielNS84]

On 6/26/2021 at 7:37 AM, Mark Kaine said:

With all the fuss about windows 11 im wondering how bad is that really…

So the keys are stored in the motherboard, or CPU…?

Then we can assume a lot of people will turn on bitlocker so they feel more secure… 

 

Ok and what happens when the motherboard or cpu breaks… they'll be locked out of their stuff as everything is encrypted with keys they cant retrieve?

 

I could even see this making issues without bitlocker, because  why not…

 

Is there something Im missing or did Microsoft really not think this through?

 

 

 

"or when the Bios ROM chip is replaced…"   

 

(taken from another thread)

I have a lot of experience with TPM's since my last motherboard was a WS Z390 Pro which has a removable TPM since it was a workstation board. These codes are used to allow you to use your Bitlocker encrypted drives seamlessly when you boot the PC but there are safeguards. If you have a removable TPM you can safely move the TPM to your new motherboard and use the drives just fine with no setup. If you don't have a removable TPM then there are a couple steps to go through...when you setup an encrypted drive for the first time it has you save your manual decryption key to your Microsoft account (required for Windows 11 now I think) which can either be accessed once you boot up to allow you into the drive or (if it's your boot drive) you can use an alternate device to pull up the key to type in when you boot. you can print the key, or you can save the key to a flash drive or something else...you can save it anywhere but to the encrypted drive itself. In any case, it's pretty safe and you don't need to worry about it as most people will just throw it in their Microsoft account or e-mail it to themselves.

 

Edit: To clarify, those without a removable TPM that want to move drives to a new PC can either just swap the drive and type in the code manually upon first boot in the new PC or they can open the "Manage BitLocker" app (I assume it will be the same in Windows 11) as shown in the image below and click "Suspend Bitlocker Protection" as shown in this guide...you can simply turn it back on when you want it back or you can fully decrypt/re-encrypt as desired.

Edited June 28, 2021 by DanielNS84
Added the Manage Bitlocker info...

[DanielNS84]

58 minutes ago, Mark Kaine said:

i mean if youre right then this is a lot less of an issue, but most people  seem to think otherwise. 

 

And i agree it makes no sense because  as said as soon your mobo breaks your encrypted data is toast, that would be a huge oversight…

 

Between different computers? And do you have tpm enabled? apparently  theres a method to use bitlocker without tpm. 

 

 

 

 

Yes, you can use Bitlocker without a dedicated hardware TPM by using the steps in the part of this guide called "How to enable (software-based) BitLocker on the operating system drive". Hope this helps.

[Kilrah]

8 hours ago, Mark Kaine said:

Between different computers? And do you have tpm enabled? apparently  theres a method to use bitlocker without tpm. 

Yes, and I have both machines with TPM and with the USB trick. 

[mo44]

Given how often I update my BIOS (since I have AMD) I am reluctant to use fTPM..

 

What we don't really know yet is why Windows 11 requires the TPM (surely it wouldn't require it if it didn't use it directly) so I would probably wait and see before grabbing a TPM.

[del111]

I've been using TPM and Bitlocker for about two years, there is nothing to worry about. Let me tell you what will happen.

I flash my BIOS and clear CMOS quite frequently (sometimes even a failed/bad flash), and AMI BIOS bumps out some message says something like "you changed your CPU so your fTPM is bad, press Y to clear all fTPM keys, press N not to clear" after the PC POSTs. When you press N, the PC reboots and shows the same message. When you press Y, Win10 will ask you for recovery key (if and only if your OS drive is encrypted). Then if you set up Windows Hello, Windows will ask you to reset your PIN by logging into your Microsoft account using your regular password (not PIN).

So yeah...as long as you saved your recovery key there is nothing to worry about even if all the keys in fTPM are cleared.