Bitlocker: TPM + PIN vs Password

TL;DR

Using a Trusted Platform Module (TPM) with a PIN for Bitlocker is more secure than just using a password. A TPM stores the encryption key, making it harder to steal. If you lose your computer, a PIN adds an extra layer of protection even if someone gets hold of the drive.

Understanding the Options

Bitlocker protects your hard drive by encrypting everything on it. You need something to unlock that encryption – this is where TPM and passwords come in.

• Password Only: The simplest method, but least secure. If someone gets your password, they can access the drive.
• TPM Only: Bitlocker key is stored securely on the TPM chip. This makes it harder to steal the key if the computer is stolen or tampered with. However, if the TPM fails, recovery can be difficult.
• TPM + PIN: Best balance of security and usability. The key is stored on the TPM, but you also need a PIN to unlock it. This protects against physical attacks and makes recovery easier.

Step-by-Step Guide

1. Check for TPM: First, make sure your computer has a TPM chip.
   • Press Windows Key + R to open the Run dialog box.
   • Type tpm.msc and press Enter.
   • If you see “Compatible TPM cannot be found”, your computer doesn’t have one or it’s disabled in the BIOS/UEFI settings. You will need to enable it in the BIOS before proceeding. Consult your motherboard manual for instructions.
2. Enable Bitlocker: If you don’t already have Bitlocker enabled:
   • Open Control Panel → System and Security → Bitlocker Drive Encryption.
   • Choose the drive you want to encrypt (usually your C: drive).
   • Click “Turn on Bitlocker”.
3. Choose How to Unlock: This is where you select TPM + PIN.
   • On the ‘How do you want to unlock your drive?’ screen, do not choose ‘Password only’.
   • Select “Use a USB flash drive” or “Use a startup key”. This will create a recovery key. Important: Store this key in a safe place (printed copy, secure cloud storage).
   • Tick the box that says “Require a PIN to unlock the drive”.
   • Create a strong PIN (at least 8 digits) and confirm it. Don’t use an easy-to-guess PIN!
4. Start Encryption: Bitlocker will begin encrypting your drive.
   • This can take several hours, depending on the size of your drive and its speed. The computer may restart during this process.
5. Test Your Setup: After encryption is complete:
   • Restart your computer.
   • You should be prompted for a PIN before Windows loads. Enter the PIN you created.
   • Verify that Windows boots normally after entering the correct PIN.

Recovery Scenarios

If you forget your PIN:

• Recovery Key: Use the recovery key you saved earlier to unlock the drive. You’ll need to enter this key when prompted during startup.

Security Considerations

• Strong PIN: A weak PIN defeats the purpose of using a TPM. Choose a complex, memorable PIN that is not easily guessable.
• Recovery Key Security: Protect your recovery key as if it were gold. If someone gets both your recovery key and access to the drive, they can bypass Bitlocker.
• BIOS/UEFI Password: Consider setting a BIOS/UEFI password to prevent unauthorized changes to boot settings.