Our Dell Latitude laptops have a Trusted Platform Module (TPM) which can be used for disk encryption using BitLocker in Windows 7.
The defaults for BitLocker are a pretty lame (i.e. anyone has access to your laptop data), so here's how to do it properly.
The goal is to have a laptop that has it's disk totally encrypted, using the TPM and a proper password.
Enable the Trusted Platform Module in the BIOS
This various in different BIOSes, this is how it looks on a Latitude E6330:
Initialise the TPM in Windows
Initialise the TPM by running tpminit.exe:
Let Windows create the password, and then save it to a USB stick for safekeeping.
Enable non-numeric PINs
Later on we want a PIN code will to be required for unlocking the drive. By default this can only consist of digits. For better security, we want to have all the characters available. This is done by enabling the "Allow enhanced PINs for startup" setting in the Local Group Policy Editor (gpedit.msc):
Enable BitLocker Drive Encryption
This is done through the BitLocker Drive Encryption control panel. Turn it on for the C: disk:
Windows will now generate a recovery key. Save this also on a USB stick. If you ever forget the PIN, you can boot the computer with it:
Now it's time to encrypt the drive. You can run a check to make sure your laptop really can be recovered with the key that is stored on the USB stick:
This encryption will take some time, but on a modern laptop that have a CPU that does crypto in hardware, and an SSD, it takes about 15 minutes:
Enable the PIN code
At this moment the C: partition is encrypted using the TPM. This means that the partition is unreadable when put into another computer.
The combination of the laptop and the disk (as you have it now) does not need any authentication, so not very useful.
Run the Group Policy Editor again and configure the "Require additional authentication at startup" settings so they look like this:
Once this is done, you can finally configure a PIN, but since you can (and should) use characters and numbers, it should be probably be called password instead:
Code Block |
---|
manage-bde -protectors -add C: -tpmandpin |
To change the PIN/password later, simply issue:
Code Block |
---|
manage-bde -changepin C: |