2

How exactly does Bitlocker work in TPM-only mode, when I not only encrypt the boot drive but also other drives with data?

If someone steals the whole computer he can't login, due to a windows password. According to the answer in this question using a bootstick will alter the boot process and thus the TPM will not provide the keys for decryption. So using a bootstick will not help.

But what happens when the attacker just formats the bootdrive and reinstalls a new OS? The data on the boot drive will be lost, but now the computer can boot again. The hardware has not changed, so I'm not sure the boot process will look different to the TPM. Will this new OS-installation also alter the boot process enough for the TPM to notice that change? Or will the TPM be unaware of the new OS and offer decryption keys for the additional data drives?

jusaca
  • 97

1 Answers1

3

BitLocker only uses TPM for the system volume. Automatic unlock for all other volumes is implemented by storing the key directly as a file within the system volume (a hidden .bek file if I remember correctly – search for the term 'startup key').

So if the attacker reinstalls the OS clean as you described, then they have just deleted the stored auto-unlock keys, because all of them were in C:\ that was just reformatted.

u1686_grawity
  • 452,512
  • 1
    I was just typing the same answer, but you were faster. If you happen to know the passphrase for the additional disks you can still unlock them from the new OS (or when booted from other media). – Tonny Jan 24 '24 at 15:06
  • That's actually a pretty simple solution to solve that problem. Clever! – jusaca Jan 25 '24 at 07:17