Trusted Platform Module (TPM) and BitLocker Support
Dell OpenManage Server Update Utility User's Guide
A TPM is a secure microcontroller with cryptographic capabilities designed to provide basic security-related functions involving encryption keys. It is installed on the motherboard of your system, and communicates with the rest of the system using a hardware bus. You can establish ownership of your system and its TPM through BIOS setup commands.
TPM stores the platform configuration as a set of values in a set of Platform Configuration Registers (PCRs). Thus one such register may store, for example, the motherboard manufacturer; another, the processor manufacturer; a third, the firmware version for the platform, and so on. Systems that incorporate a TPM create a key that is tied to platform measurements. The key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting it is called "unsealing". With the sealed key and a data protection feature like Windows® BitLocker™ Drive Encryption, you can lock data until specific hardware or software conditions are met.
BitLocker mitigates unauthorized data access by combining two major data-protection procedures:
Encrypting the entire Windows operating system volume on the hard disk: BitLocker encrypts all user files and system files in the operating system volume.
Checking the integrity of early boot components and the boot configuration data: On systems that have a TPM version 1.2, BitLocker leverages the enhanced security capabilities of the TPM and ensures that your data is accessible only if the system's boot components are unaltered and the encrypted disk is located in the original system.
BitLocker is designed for systems that have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM. A compatible BIOS supports the TPM and the Static Root of Trust Measurement. BitLocker seals the master encryption key in the TPM and only allows the key to be released when code measurements have not changed from a previous secure boot. It forces you to provide a recovery key to continue boot if any measurements have changed. A one-to-many BIOS update scenario results in BitLocker halting the update and requesting a recovery key before completing boot.
BitLocker protects the data stored on a system through "full volume encryption" and "secure startup". It ensures that data stored on a system remains encrypted even if the system is tampered with when the operating system is not running and prevents the operating system from booting and decrypting the drive until you present the BitLocker key.
TPM interacts with BitLocker to provide protection at system startup. TPM must be enabled and activated before it can be used by BitLocker. If the startup information has changed, BitLocker enters recovery mode, and you need a recovery password to regain access to the data.
NOTE: For systems with a TCG 1.2 compliant Trusted Platform Module (TPM) chip, BIOS updates using SUU and DUPs fail if the Microsoft Windows BitLocker Drive Encryption feature is enabled or the Trusted Platform Module feature is set (using BIOS) to ON with Pre-boot Measurement.
NOTE: See the Microsoft® TechNet website for information on how to turn on BitLocker. See the documentation included with your system for instructions on how to activate TPM. A TPM is not required for BitLocker; however, only a system with a TPM can provide the additional security of startup system integrity verification. Without TPM, BitLocker can be used to encrypt volumes but not a secure startup.
NOTE: The most secure way to configure BitLocker is on a system with a TPM version 1.2 and a Trusted Computing Group (TCG) compliant BIOS implementation, with either a startup key or a PIN. These methods provide additional authentication by requiring either an additional physical key (a USB flash drive with a system-readable key written to it) or a PIN set by the user.
NOTE: For mass BIOS updates, create a script that disables BitLocker, installs the update, reboots the system and then re-enables BitLocker. For one-to-one Dell™ Update Package (DUP) deployments, manually disable BitLocker and then re-enable it after rebooting your system.
NOTE: In addition to BIOS DUP, execution of firmware DUP for U320, Serial Attached SCSI (SAS) 5, SAS 6, Expandable RAID Controller (PERC) 5, PERC 6, and Cost Effective RAID Controller (CERC) 6 controllers is blocked on a system having a TPM version 1.2 chip, TPM Security set at ON with pre-boot measurement, and TPM Activation set at Enabled if you enable BitLocker (TPM or TPM with USB or TPM with PIN).
