News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • TPM 2.0 and BitLocker keys

    Home Forums AskWoody support Windows Windows 10 TPM 2.0 and BitLocker keys

    Viewing 3 reply threads
    • Author
      Posts
      • #2389969
        Rich Walters
        AskWoody Plus

        I bought a TPM 2.0 for my recent build consisting of:

        1. ASUS TUF Gaming X570-PRO [WI-FI]
        2. AMD Ryzen 7 3700X CPU
        3. 32GB RAM

        When i install the module and restart the PC, and then, enter the BIOS to turn the TPM,

        how do I save the keys that will be produced? Can I print them? OR should I just write them

        down or will I be able to save them to a USB drive?

        Also, when I restart the PC, after turning on the TPM in the BIOS, then turn on

        BitLocker, how will I be able to save the keys produced there?

        I have tried to search via Google and I apparently did not phrase the search correctly.

        Thus, I am turning to this Forum.

        Rich Walters

      • #2390064
        doriel
        AskWoody Lounger

        The process should be following

        0. Enable TPM in BIOS
        1. Boot into Windows
        2. Turn the BitLocker on by rightclicking desired drive (C:, D:, ..) and selecting “Turn on Bitlocker
        3. BitLocker key will be generated, it will create *.txt file
        4. The file cannot be saved on the encrypted drive (if you encrypt C:, you cannot save the file to C: drive)
        5. I suggest to save the key on USB drive
        6. I also strongly recomment to print the key, or write it down manually on a paper

        Steps 3-6 can be done while turning the BitLocker on, Windows will guide you through the process, no extra effort needed.

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        PRUSA i3 MK3S+

      • #2390070
        Alex5723
        AskWoody Plus

        how do I save the keys that will be produced? Can I print them? OR should I just write them

        TMP doesn’t generate a key. BitLocker does.

        1 user thanked author for this post.
        • #2390077
          doriel
          AskWoody Lounger

          That is correct.

          Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.

          Source and detailed information HERE, if Rich wants to dig deeper 🙂

          HTH, doriel.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

          1 user thanked author for this post.
      • #2390096
        oldguy
        AskWoody Lounger

        To save me some typing, someone else had a bitlocker issue. There are other BIOS settings (Intel PPM, SMM (Dell)) which control boot security from a BIOS level so don’t be completely surprised if you find its already working. I mentioned those at https://www.askwoody.com/forums/topic/bitlocker-activated-during-update-last-night/#post-2386037

        Unfortunately to say the motherboard manual is scant in this section (3.2) would be an understatement so you’ll have to play it by ear. Most times its easier to encrypt than to avoid it now! If you have the BIOS level support it is more secure, but you need to be really hot on backing up the recovery keys and your data somewhere safe.

        The only thing maybe worth adding (though I never actually used it) is with manage-bde, you can apparently save a key package to use to (theoretically anyway) unlock a drive from the command prompt, even if it is outside of the drive’s host hardware (saves a .BEK file..) to save typing the key in (or if you plug the drive in using an external caddy plugged into a machine after that machine was started). Would be useful if you knew you might have to recover your files with DISM to know you needed to do that bit I seem to be the only person who would think of doing that.. we used manage-bde to start encryption and add keys. Note the program can’t be otherwise scripted – it will prompt for credentials and read input for PINs and the like only from keystrokes. manage-bde /? in a cmd prompt will clarify.

        As Doriel has already said, the Windows interface will insist you save the recovery key, and if you lose the details you can return to the bitlocker applet to retrieve it again – there’s a link towards the bottom of the applet for that.

        You can check up on the TPM’s operability via control panel or the run box:

        mmc.exe \Windows\System32\tpm.msc

         

    Viewing 3 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: TPM 2.0 and BitLocker keys

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.