- Dec 22, 2016
- 290
- 55
- 18,940
So I purchased a Lenovo E570 about a month ago, with Windows 10 Home. Yesterday, I upgraded it to Windows 10 Pro so that I could use Bitlocker.
Long story short: I'm having trouble encrypting my secondary fixed data drive. Let me explain in detail:
I've got an M.2 PCIe NVMe boot drive (from the factory) and a retail aftermarket 2.5" SATA SSD I installed myself as a secondary fixed data drive.
When I set up Bitlocker, it does detect my TPM. So I encrypted my boot drive with the TPM as the key protector. So far, so good.
Then I encrypted my fixed data drive. It says it is encrypted. So far, so good.
I can turn off my computer and reboot and access all my data. So far, so good.
The issue is, I'm not sure WHAT is protecting my fixed data drive. It's set to "auto unlock", but I can't figure out what it unlocks in response to. I want to make sure that my fixed data drive is unlocking only in response to something I have, and that no thief has. So great, my secondary fixed data drive is encrypted, but I can't tell what's the key. If the key is something that a thief has, then the encryption is useless. I need to verify that it's a key that only I have.
I can set boot and logon passwords just fine. What I want to do is protect against a thief who steals my physical computer, removes the drives, and mounts them in another computer. So that's where TPM comes in. I want to make sure that my fixed data drive is protected by TPM. I want TPM to be the key for my secondary fixed data drive.
The problem is, I can't figure out whether it is or not. All I know is that it is set to "automatically unlock", but I can't figure out, "in response to what?". What's the trigger that makes it unlock?
I can see how to set a password on the data drive, but I don't want a password. I've got enough passwords to remember as it is. I just want to encrypt it with the TPM to protect against a thief who might physically remove my drive from my computer.
So my only options are password or else "automatically unlock". But I can't tell whether "automatically unlock" uses my TPM or not.
I've called Microsoft technical support, and they didn't know the answer.
I'm attaching a screenshot of "manage-bde -status": http://i.imgur.com/0ZuSbaQ.png
As you can see, the boot drive is protected by TPM and by numerical password (I assume that's the recovery key, because I didn't set a user password).
By contrast, the data drive is protected by a numerical password (again, the recovery key?) and by an external key. But I didn't set up an external key. I don't have an external USB flash recovery key. I created nothing of the sort. So what is automatically unlocking my drive? If my drive automatically unlocks in response to nothing, then what will stop a thief? It will automatically unlock in response to nothing for him too!!!
Long story short: I'm having trouble encrypting my secondary fixed data drive. Let me explain in detail:
I've got an M.2 PCIe NVMe boot drive (from the factory) and a retail aftermarket 2.5" SATA SSD I installed myself as a secondary fixed data drive.
When I set up Bitlocker, it does detect my TPM. So I encrypted my boot drive with the TPM as the key protector. So far, so good.
Then I encrypted my fixed data drive. It says it is encrypted. So far, so good.
I can turn off my computer and reboot and access all my data. So far, so good.
The issue is, I'm not sure WHAT is protecting my fixed data drive. It's set to "auto unlock", but I can't figure out what it unlocks in response to. I want to make sure that my fixed data drive is unlocking only in response to something I have, and that no thief has. So great, my secondary fixed data drive is encrypted, but I can't tell what's the key. If the key is something that a thief has, then the encryption is useless. I need to verify that it's a key that only I have.
I can set boot and logon passwords just fine. What I want to do is protect against a thief who steals my physical computer, removes the drives, and mounts them in another computer. So that's where TPM comes in. I want to make sure that my fixed data drive is protected by TPM. I want TPM to be the key for my secondary fixed data drive.
The problem is, I can't figure out whether it is or not. All I know is that it is set to "automatically unlock", but I can't figure out, "in response to what?". What's the trigger that makes it unlock?
I can see how to set a password on the data drive, but I don't want a password. I've got enough passwords to remember as it is. I just want to encrypt it with the TPM to protect against a thief who might physically remove my drive from my computer.
So my only options are password or else "automatically unlock". But I can't tell whether "automatically unlock" uses my TPM or not.
I've called Microsoft technical support, and they didn't know the answer.
I'm attaching a screenshot of "manage-bde -status": http://i.imgur.com/0ZuSbaQ.png
As you can see, the boot drive is protected by TPM and by numerical password (I assume that's the recovery key, because I didn't set a user password).
By contrast, the data drive is protected by a numerical password (again, the recovery key?) and by an external key. But I didn't set up an external key. I don't have an external USB flash recovery key. I created nothing of the sort. So what is automatically unlocking my drive? If my drive automatically unlocks in response to nothing, then what will stop a thief? It will automatically unlock in response to nothing for him too!!!
Facebook
Twitter
Instagram