Encrypting Win 7, TPM and other stuff

gesaugen

Distinguished
Nov 3, 2005
9
0
18,510
I would like to learn how to encrypt my devices. My goal is to have full disk encryption on the fly in a way that the first thing I'll be asked when starting up my PC is pass for decryption of the SSD/HDDs in my PC so if my PC gets stolen or tempered, the thief can't get to my data

I have FM2A88X+ mbo which has TPM-S pins and A8-5600k CPU, Samsung 840 EVO SSD and Win7 x64 Ultimate OS

1. What options I have for encryption?
By trying to figure out how encryption stuff works, I've came across that it can be hardware implemented or software. As I presume, hardware encryption doesn't take a tool on computers speed as software does while doing encryption on the fly so I would like to use hardware option if possible

2. TPM - do I need it?
I've learned that there's Bitlocker integrated software into Win x64 Ultimate. I've tried to use it but there are problems: if I try to use it on system disk which is SSD, it goes to the point of "checking disk" while giving me warning that TPM module isn't recognized on my PC (because I don't have any), while if I use it on the storage HDD it immediately takes me on the setup screen where it asks me for setup of password and stuff. But strange thing is that Samsung 840 EVO has hardware enabled encryption via bitlocker so I'm not sure it that just doesn't work on my PC or it needs the TPM module to make it work all together, and why HDD doesn't need TPM

3. Do I need to encrypt my drive before installation of the OS or it can be done while there is OS and data without loosing them?
 
Solution
The encryption is handled by Windows 7 alone with Bitlocker. It should be able to encrypt any drive being an HDD or SSD.

Samsung's encryption for SSD can be enabled and managed using Samsung Magician

Bitlocker can lock any drives to a particular Windows system and is managed 100% by Windows. It is enabled and configured using "Bitlocker" in control panel or simply Windows Key -> Bitlocker

You could theoretically use either but I recommend using one or the other. Bitlocker should work for you and you could use USB key or password to authenticate on boot which acts as a replacement for the traditional TPM chip (although if someone steals your PC TPM chip won't help you but boot password will).

jr9

Estimable
Bitlocker is what you want to use if you have Windows 7 Ultimate already.

You can use Bitlocker without a TPM motherboard. Normally the TPM on the motherboard is used to verify the HDD is connected to the correct PC and then asks for a password to access the volume if enabled to. If someone steals your PC they need the pass and they can't take the drive out and put in into another PC because that other PC won't have the same TPM.

In the event you don't have a TPM, you can still use Bitlocker. You can have it ask for a password or even use a USB drive with a decryption key. For a detailed guide on how to do this see

https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

Bitlocker can be turned on at any time. The only time you have to worry about losing data is if your TPM fails or you forget or lose your encryption key and didn't write it down or save it anywhere
 

gesaugen

Distinguished
Nov 3, 2005
9
0
18,510
@jr9
thanks for the info!
Also, I'm interested in how the hardware encryption is "turned on" or better to say, as I have hardware which supports hardware encryption (EVO 840 SSD) will it automatically use its hardware encryption capability if I use USB key with bitlocker or there is something else I have to do to force usage of hardware encryption capability for encryption
 

jr9

Estimable
The encryption is handled by Windows 7 alone with Bitlocker. It should be able to encrypt any drive being an HDD or SSD.

Samsung's encryption for SSD can be enabled and managed using Samsung Magician

Bitlocker can lock any drives to a particular Windows system and is managed 100% by Windows. It is enabled and configured using "Bitlocker" in control panel or simply Windows Key -> Bitlocker

You could theoretically use either but I recommend using one or the other. Bitlocker should work for you and you could use USB key or password to authenticate on boot which acts as a replacement for the traditional TPM chip (although if someone steals your PC TPM chip won't help you but boot password will).
 
Solution