Hi all users, as we all know how easy it is for
to get their hands on private and confidential data. That’s the main
reason we need to constantly refine our security policies to keep
confidential data safe. While there are many software applications that
will do the job they could be easy to crack; at least for a seasoned
hacker. That’s not the only reason to be worried. Imagine losing your
laptop or even your portable drive which contains important data.
What we are referring to is hardware based
In very simple terms, a TPM chip basically generates random encryption keys where half of the key is stored within the chip and is encrypted/decrypted using an incredibly strong 2048-bit RSA algorithm. This essentially makes it impossible to
Before we start, make sure that your motherboard or laptop has the Trusted Platform Module chip. Refer to the manual to confirm this. If it does you will need to make sure it is enabled in the BIOS. Before we progress further make doubly sure that you have not already encrypted any files using this method. If the user information is ever cleared, encrypted files will become inaccessible. Please do back up any protected files first! We also suggest backing up important data before proceeding.
Start your machine and press the [Delete] key to get access to the BIOS. For laptops it should either be the [F12] or the [F8] key. Search for the term “Security Chip Configuration” or a similar title and press [Enter]. Now select “Enabled” for the Security Chip and move to “Clear Security Chip”. Once the user information has been cleared save changes to the BIOS by pressing [F10], and restart.
Once you have logged into Windows install the TPM driver (check your motherboard CD/DVD) and restart again. This workshop uses a Gigabyte board that had an Infineon TPM chip. If you have a different chip note that the steps will be a little different, so excercise caution and check all options first.
Activating the TPM chip
Step 1: Bring up the “Infineon Platform Security wizard” by double clicking on the TPM icon. Click “Next” and select “Security Platform Initialization”. On proceeding you will need to feed in a
Step 2: The Features menu allows you to choose three basic options such as “Automatic Backups”, “Password reset” and “BitLocker
User Initialization Wizard
Step 3: Double clicking the TPM icon will now bring up the User Initialization Wizard; choose “Next”. You will be asked to feed in your “Basic User Key”. This allows you to make user specific changes. On proceeding you will again be asked to create a Basic User Password reset key. We again recommend saving it to a pen drive. Confirm the setting and click on Next to initialize the setting for the user.
Step 4: The next couple of steps will allow you to enable and disable features such as “Encrypting File System” and “Personal
Step 5: To create an encryption certificate click on “Select” and choose “Create”. Select the created certificate and hit “Select”. You should now be able to view the certificate that was chosen. The next step allows you to create your own secure hidden drive.
Step 6: Map your drive to any one of the alphabets in the dropdown menu and give your new hidden drive a name. Leave the “Load my Personal Secure Drive at logon” option unchecked and click on “Next”. Decide on the amount of storage space that you want to assign to the secure drive. Now choose an existing drive where this virtual drive will actually reside. Make sure that the drive that’s chosen has enough free space to allocate. Click on Next and enter your basic user password following which the wizard starts configuring the features selected. Click Finish and you are all set to secure your files and folders.
You can load and unload your protected drive by simply right clicking on the TPM icon and navigating to “Personal Secure Drive | Load/Unload”. You can choose to either copy or send files and folders to your secure drive by simply right clicking and selecting the appropriate option.
Bitlocker Drive Encryption
For people who don’t own a TPM based motherboard or laptop there is yet another way of securing your valuable data. Windows itself comes with a utility known as BitLocker Drive Encryption. This feature can only be found in the Ultimate and Enterprise versions of Windows Vista, Windows 7 and Windows Server 2008 (Windows 7 comes with Bitlocker To Go for portable drives as well). This feature was designed to make use of a Trusted Platform Module (TPM) chip, but there is a way to work around this if you don't have one.
Follow the instructions carefully and back up your system before proceeding. Keep in mind that the Bitlocker Drive Encryption is designed to
Step 1: Open the start menu and type “Group Policy” in the search box. Now in the Local Computer Policy window navigate to “Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System Drives”. Right click on “Require additional authentication at startup” and click “Edit”.
Step 2: On the opened page select “Enabled” under “Require additional authentication at startup” and under options check “Allow BitLocker without a compatible TPM”. Once checked other options will automatically change; ignore the automated changes. After you have enabled it to start without a compatible TPM chip, click on Apply and exit the Group Policy editor. The above process basically enables BitLocker but without its full range of effectiveness.
Step 3: To enable BitLocker you will need to search for a file named “BitLocker”. Open the Windows Vista or Windows 7 start menu and type “BitLocker” in the search bar. Run the program “BitLocker Drive Encryption”. You should now be able to view all drives currently connected to your system. Select the drive that you want to encrypt and click “Turn on BitLocker”.
Step 4: Now select “Use a password to unlock the device” and type in your password. Further on you will be asked to “Save the recovery key to a file”. Save the file either to the hard disk or a portable pen drive to proceed. The recovery key is now your only option to able to access your device in case you forget the password. Once you are done click “Start Encrypting”.
Note :- Do not save your recovery key on the same drive that is being encrypted else you will not be able to unlock the device in case you forget the password!