BitLocker disk encryption normally requires a TPM on Windows. Microsoft’s EFS encryption can never use a TPM. The new “device encryption” feature on Windows 10 and 8.1 also requires a modern TPM, which is why it’s only enabled on new hardware. But what is a TPM?
TPM stands for “Trusted Platform Module”. It’s a chip on your computer’s motherboard that helps enable tamper-resistant full-disk encryption without requiring extremely long passphrases.
What Is It, Exactly?
The TPM is a chip that’s part of your computer’s motherboard — it’s soldered onto the motherboard. The TPM generates encryption keys, keeping part of the key to itself. So, if you’re using BitLocker encryption or device encryption on a computer with the TPM, part of the key is stored in the TPM itself, rather than just on the disk. This means an attacker can’t just remove the drive from the computer and attempt to access its files elsewhere.
This chip provides hardware-based authentication and tamper detection, so an attacker can’t attempt to remove the chip and place it on another motherboard, or tamper with the motherboard itself to attempt to bypass the encryption — at least in theory.
Encryption, Encryption, Encryption
For most people, the most relevant use case here will be encryption. Modern versions of Windows use the TPM transparently. Just sign in with a Microsoft account on a modern PC that ships with “device encryption” enabled and it’ll use encryption. Enable BitLocker disk encryption and Windows will use a TPM to store the encryption key.
You normally just gain access to an encrypted drive by typing your Windows login password, but it’s protected with a longer encryption key than that. That encryption key is partially stored in the TPM, so you actually need your Windows login password and the same computer the drive is from to get access. That’s why the “recovery key” for BitLocker is quite a bit longer — you need that longer recovery key to access your data if you move the drive to another computer.
This is one reason why the older Windows EFS encryption technology isn’t as good. It has no way to store encryption keys in a TPM. That means it has to store its encryption keys on the hard drive, and makes it much less secure. BitLocker can function on drives without TPMs, but Microsoft went out of its way to hide this option to emphasize how important a TPM is for security.
Why TrueCrypt Shunned TPMs
Of course, a TPM isn’t the only workable option for disk encryption. TrueCrypt’s FAQ — now taken down — used to stress why TrueCrypt didn’t use and would never use a TPM. It slammed TPM-based solutions as providing a false sense of security. Of course, TrueCrypt’s website now states that TrueCrypt itself is vulnerable and recommends you use BitLocker — which uses TPMs — instead. So it’s a bit of a confusing mess in TrueCrypt land.
This argument is still available on VeraCrypt’s website, however. VeraCrypt is an active fork of TrueCrypt. VeraCrypt’s FAQ insists BitLocker and other utilities that rely on TPM use it to prevent against attacks that require an attacker to have administrator access, or have physical access to a computer. “The only thing that TPM is almost guaranteed to provide is a false sense of security,” says the FAQ. It says that a TPM is, at best, “redundant”.
There’s a bit of truth to this. No security is completely absolute. A TPM is arguably more of a convenience feature. Storing the encryption keys in hardware allows a computer to automatically decrypt the drive, or decrypt it with a simple password. It’s more secure than simply storing that key on the disk, as an attacker can’t simply remove the disk and insert it into another computer. It’s tied to that specific hardware.