What we are referring to is hardware based encryption rather than the more common software based methods. To begin with you will need a PC with a motherboard that has an embedded TPM (Trusted Platform Module) chip. So before we even get into the intricacies of setting up the encryption system, let’s go a little further and understand the basic functionality of a TPM based motherboard.
In very simple terms, a TPM chip basically generates random encryption keys where half of the key is stored within the chip and is encrypted/decrypted using an incredibly strong 2048-bit RSA algorithm. This essentially makes it impossible to recover data from the encrypted drive, making it unique to the machine that was used for encryption. In other words, the contents of a protected drive are unreadable when connected to another machine or read by any unauthorized person.
Before we start, make sure that your motherboard or laptop has the Trusted Platform Module chip. Refer to the manual to confirm this. If it does you will need to make sure it is enabled in the BIOS. Before we progress further make doubly sure that you have not already encrypted any files using this method. If the user information is ever cleared, encrypted files will become inaccessible. Please do back up any protected files first! We also suggest backing up important data before proceeding.
Start your machine and press the [Delete] key to get access to the BIOS. For laptops it should either be the [F12] or the [F8] key. Search for the term “Security Chip Configuration” or a similar title and press [Enter]. Now select “Enabled” for the Security Chip and move to “Clear Security Chip”. Once the user information has been cleared save changes to the BIOS by pressing [F10], and restart.
Once you have logged into Windows install the TPM driver (check your motherboard CD/DVD) and restart again. This workshop uses a Gigabyte board that had an Infineon TPM chip. If you have a different chip note that the steps will be a little different, so excercise caution and check all options first.
Activating the TPM chip
Step 1: Bring up the “Infineon Platform Security wizard” by double clicking on the TPM icon. Click “Next” and select “Security Platform Initialization”. On proceeding you will need to feed in a password to initialize the process. Consider this to be your master password as you will need it whenever you want to make global changes.
Step 2: The Features menu allows you to choose three basic options such as “Automatic Backups”, “Password reset” and “BitLocker Drive Encryption”. We suggest you use the “Automatic backup” and “Password reset” features. Click on “Next” and choose your backup location. You can also reschedule your backup if the default time is not convenient. Clicking on Next will take you to the “Password Reset” menu. Make sure “Create a new Token” is selected and choose a file location. Here it is advisable to save the token to a portable drive rather than the hard drive. Enter the password and click on “Next”. The wizard should now be ready to start initializing the TPM chip. Run an automatic backup once the wizard has initialized the chip.
User Initialization Wizard
Step 3: Double clicking the TPM icon will now bring up the User Initialization Wizard; choose “Next”. You will be asked to feed in your “Basic User Key”. This allows you to make user specific changes. On proceeding you will again be asked to create a Basic User Password reset key. We again recommend saving it to a pen drive. Confirm the setting and click on Next to initialize the setting for the user.
Step 4: The next couple of steps will allow you to enable and disable features such as “Encrypting File System” and “Personal Secure Drive”. On the Security Platform Features menu uncheck the “Secure e-mail” while keeping EFS and PSD checked before proceeding.
Step 5: To create an encryption certificate click on “Select” and choose “Create”. Select the created certificate and hit “Select”. You should now be able to view the certificate that was chosen. The next step allows you to create your own secure hidden drive.
Step 6: Map your drive to any one of the alphabets in the dropdown menu and give your new hidden drive a name. Leave the “Load my Personal Secure Drive at logon” option unchecked and click on “Next”. Decide on the amount of storage space that you want to assign to the secure drive. Now choose an existing drive where this virtual drive will actually reside. Make sure that the drive that’s chosen has enough free space to allocate. Click on Next and enter your basic user password following which the wizard starts configuring the features selected. Click Finish and you are all set to secure your files and folders.
You can load and unload your protected drive by simply right clicking on the TPM icon and navigating to “Personal Secure Drive | Load/Unload”. You can choose to either copy or send files and folders to your secure drive by simply right clicking and selecting the appropriate option.
Bitlocker Drive Encryption
For people who don’t own a TPM based motherboard or laptop there is yet another way of securing your valuable data. Windows itself comes with a utility known as BitLocker Drive Encryption. This feature can only be found in the Ultimate and Enterprise versions of Windows Vista, Windows 7 and Windows Server 2008 (Windows 7 comes with Bitlocker To Go for portable drives as well). This feature was designed to make use of a Trusted Platform Module (TPM) chip, but there is a way to work around this if you don't have one.
Follow the instructions carefully and back up your system before proceeding. Keep in mind that the Bitlocker Drive Encryption is designed to encrypt an entire partition or volume. Also the time taken to encrypt the entire drive depends on the overall size.
Step 1: Open the start menu and type “Group Policy” in the search box. Now in the Local Computer Policy window navigate to “Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System Drives”. Right click on “Require additional authentication at startup” and click “Edit”.
Step 2: On the opened page select “Enabled” under “Require additional authentication at startup” and under options check “Allow BitLocker without a compatible TPM”. Once checked other options will automatically change; ignore the automated changes. After you have enabled it to start without a compatible TPM chip, click on Apply and exit the Group Policy editor. The above process basically enables BitLocker but without its full range of effectiveness.
Step 3: To enable BitLocker you will need to search for a file named “BitLocker”. Open the Windows Vista or Windows 7 start menu and type “BitLocker” in the search bar. Run the program “BitLocker Drive Encryption”. You should now be able to view all drives currently connected to your system. Select the drive that you want to encrypt and click “Turn on BitLocker”.
Step 4: Now select “Use a password to unlock the device” and type in your password. Further on you will be asked to “Save the recovery key to a file”. Save the file either to the hard disk or a portable pen drive to proceed. The recovery key is now your only option to able to access your device in case you forget the password. Once you are done click “Start Encrypting”.
Note :- Do not save your recovery key on the same drive that is being encrypted else you will not be able to unlock the device in case you forget the password!