• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
Locked

‎07-17-2017 06:38 AM

HP Recommended
Product: hp spectre x360
Operating System: Microsoft Windows 10 (64-bit)

to all,
could someone help clarify the security of TPM.

HP spectre x360 (and also SAmsung Tab Pro S)
they hve TPM, and I have bitlocker enabled.  IF bitlocker is ENABLED, but it is set to NOT require a PIN, then the drive is started automatically once you've completed the BIOS startup.
SO, I enabled an ADMINISTRATOR password for the BIOS startup, instead of a bitlocker PIN (reason, the samsung does not have an onscreen keyboard for its detached tablet mode, but the ADMINISTRATOR password can be entered with an on-screen keyboard).

Now, if someone got this machine, and was able to get to BIOS setup, PRIOR to the administrator password being required, and was able to CLEAR the TPM, does that ALSO wipe out the stored Bitlocker recovery key, so that that drive is now no longer accessible?

if so, then that allows me to securely take the samsung with me (and I may set up the HP the same way) when traveling, because entry of the ADMINISTRATOR password would be as difficult (or as easy) as entering an 8 character PIN for bitlocker, and if TPM is protecting both, then nobody can take out hte hard drive and access it

any feedback on security of this is appreciated
nick

1 person had the same question
2 REPLIES 2

‎07-17-2017 01:34 PM - edited ‎07-17-2017 01:36 PM

HP Recommended
@aoz987 wrote:


Now, if someone got this machine, and was able to get to BIOS setup, PRIOR to the administrator password being required, and was able to CLEAR the TPM, does that ALSO wipe out the stored Bitlocker recovery key, so that that drive is now no longer accessible?

Hello !

 

If you or an attacker clears the TPM, the encrypted drive will only be accessible using the encryption recovery key.


BitLocker usually uses the computer's TPM chip to store the key required for decrypting the boot drive. If the TPM chip is cleared, this key is lost (~forever or until re-initialized by user later). In that case, the only way to decrypt the drive is to use the BitLocker recovery key.

In practice, if you boot from a drive encrypted with BitLocker, and Windows finds it cannot retrieve the keys from the TPM chip, it will prompt you for the recovery key.

It is possible to use BitLocker without TPM, though the option needs to be enabled first. In that case, clearing the TPM will not make a difference. However, it looks like you are using BitLocker with TMP, so this does not apply in your case.

 

Having any kind of preboot authentication screen (e.g. Bitlocker or BIOS) + encrypted drive + OS account password is pretty much very secure by itself. It's not that it cannot be decrypted/decoded but it is technically very difficult, time consuming and requires some skills, knowledge, requires some expensive tools and desire.  My recommendation is not to fall into some very special scenarios. If at all your device gets stolen, it will need to fall into special hands who require something special from you. 90% of the thieves are just plain thieves who have no idea of IT and cannot access your encrypted drive.

 

This scenario is more likely

 

 

 

Cheers!

 

 

Your FEEDBACK is important. Use the interactive buttons below and let me know if the post helps ;
*** HP employee *** I express personal opinion only *** Joined the Community in 2013
1 person found this reply helpful
Was this reply helpful? Yes No

‎07-20-2017 06:02 AM

HP Recommended

It_WinSec,

thanks for reply.

 

INTERESTING sideline - letter to AMI, asking a GENERIC question about the BIOS, TPM, etc - as this relates to SEVERAL different brands of notebooks -

NO matter even if a GENERIC question, they will NOT answer the question !!.  WHAT a great help they are !

 

Message to AMI --

Message: Dear AMI, PLEASE don't dismiss this question; I have been posting and working with, a couple forums,  I am trying to clarify how TPM works, for the BIOS ADMINISTRATOR PASSWORD, and for bitlocker.
 from my understanding, IF bitlocker is ENABLED, but it is set to NOT require a PIN, then the drive is started automatically once you've completed the BIOS startup. SO, I enabled an ADMINISTRATOR PASSWORD for the BIOS startup. This is able to be entered ON the TOUCHSCREEN with ONSCREEN KEYBOARD.
 QUESTION #1 Now, if someone stole this machine, and was able to get to BIOS setup, PRIOR to the ENTRY of the ADMINISTRATOR PASSWORD, and was able to CLEAR the TPM, does that ALSO wipe out the stored Bitlocker recovery key, so that that drive is now no longer accessible (except with bitlocker recovery key)
 if so, then that allows me to securely take the computer with me when traveling
QUESTION #2
 DOES any incorrect entry of the ADMINISTRATOR PASSWORD cause the TPM to COUNT incorrect entries, AND, IF SO, HOW do you get that TPM LOCKOUT to reset itself?

their reply
Thank you for contacting AMI technical support.
Please inspect your system and identify its manufacturer. Unless your system is manufactured by AMI, we are not authorized to provide support for it.
The system manufacturers license our generic BIOS and modify it to fit their system specifications;
 thus, we do not have access to the changes made to the BIOS. For support, BIOS, and driver updates for your system,

my reply
dear support, thanks for reply.

BUT, could you PLEASEreconsider, to provide info?  I'm trying to find generic info on how TPM works, security, etc, and it is YOUR bios in several machines.
I'm not trying to pin down an exact help ticket item, etc.  I'm not an attorney looking to find  some loophole (if you want me to sign a disclaimer, i'm willing to do so)
I EVEN wrote to SAMSUNG, the PRESIDENT of the company, in South Korea (after several lower-tier-level letters, with no response)
SUPPOSE I was coming to YUOU for a BIOS for a machine I was designing.
 HOW would you answer the questions below, to me, as a prospective customer?  WHAT features would be available using TPM, and its security features?  Seriously, please help with a reply.
thanks
a lowly end user peon who has some tech background, and is looking for general information

their reply
At this point, the BIOS has already been modified by the Samsung per their own hardware specification and it is now a part of Samsung’s finalized product.
 As stated in our response, if the final product is manufactured by a company other than AMI, we are not authorized to provide support for it.
If you are a system manufacturer looking to license our BIOS as part of product development, we can get you in touch with our sales department.

 

 

Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.