BitLocker Security Modes

BitLocker can function in different modes which provide different levels of security. Which mode you choose depends on whether you have a Trusted Platform Module (TPM) on your computer and the level of security you want to achieve. The TPM is a secure device built into the hardware of the computer to store cryptographic (encryption) keys. Different security modes can combine the usage of a TPM, a PIN number and a startup key. A startup key is a cryptographic file that is stored on a separate USB file. Go here for more info about the security levels of BitLocker.

The available BitLocker modes are as follows:

TPM-only mode: This is the least secure level as the user does not have to provide any passwords, PINs or startup keys to access the computer. This mode protects your computer from changes in the hardware such as the hard disk and the boot environment.

TPM with startup key mode: This mode increases security by using a preconfigured startup key before the computer can boot into the Windows operating system. The startup key must be stored on a USB flash drive and if the device is not available at boot time, the computer enters recovery mode.

TPM with PIN mode: This mode requires the user to enter a PIN before the computer boots. As in the previous mode if an incorrect PIN is entered, the computer enters recovery mode. In addition, you can configure a Group Policy that enforces users to set complicated passwords.

TPM with PIN and startup key mode: As you can decipher, this mode is the most secure option and you can configure it through Group Policy as well. In this mode a startup key and a PIN are required before the computer boots completely and user can access the operating system. This mode is recommended for high-secure environments.

If your computer does not have a TPM you can still use BitLocker to provide hard disk encryption. Remember that you must be running the Enterprise or the Ultimate editions of Windows 7 to use BitLocker. In this situation where your hardware does not have a TPM chip, you need to boot with a startup key on a USB storage device.

To enable BitLocker, start the Local Group Policy Editor by typing gpedit.msc in the Start search text box and go to: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives and enable the Require additional authentication at startup policy as shown below:

Share