Programme Revision: Released: Last Document Update: Version 1.0 March 2008 March 2008 Author: Erika Hughes © Toshiba Information Systems (UK) Ltd. [Services Department] 1 Introduction This document is provided in order to offer guidance and assistance in setting up BitLocker Drive Encryption with the Trusted Platform Module. It is strongly recommended that you read and understand each of the steps detailed herein before you begin carrying them out. In the event that you do not understand anything described, you are advised to refer to the reseller or place of purchase of the computer for assistance. Toshiba Information Systems (UK) Limited cannot accept responsibility for any damage or loss of data (or any consequential losses) that may occur either directly or indirectly in the event that the instructions within this document are not correctly followed. The instructions contained within this document have been tried and found to work. However, Toshiba Information Systems (UK) Limited is not responsible for any updates or changes that may occur with the third-party hardware which may affect the validity of the information contained herein. You are therefore advised to use all of this information as a point of reference only and raise any queries you may have with your reseller or place of purchase. NOTE: Please ensure that the Infineon Security Platform Utility for the Trust Platform Module has been installed prior to setting up BitLocker. This can be downloaded from the Toshiba UK website under the ‘Drivers and Downloads’ page for your relevant notebook model: http://uk.computers.toshiba-europe.com © Toshiba Information Systems (UK) Ltd. [Services Department] 2 Activating the Trusted Platform Module 1. While switching on the computer hold down the Esc key. 2. If you are asked to enter a password this must be the Supervisor password in order to gain access to the System Setup screen. 3. At the Check system. Then press [F1] key. prompt press the F1 key. 4. With the System Setup screen displayed press the PgDn key to view the second screen of System Setup. 5. Use the arrow keys to navigate the highlighted box to the Security Controller section. 6. With Disabled highlighted for TPM press the space bar so that Enabled is shown. 7. A prompt will appear highlighted at the foot of the display - Save changes to Security Controller now? (Y/N) – where you should press Y. 8. Press the End key to save your changes and exit the System Setup, then press Y at the following confirmation prompt. Enabling TPM in the BIOS 9. The system will now reboot into the operating system. © Toshiba Information Systems (UK) Ltd. [Services Department] 3 Running the BitLocker Drive Preparation Tool The BitLocker Drive Preparation Tool is used to correctly prepare the computer for BitLocker Drive Encryption. Microsoft Knowledge Base Article 930063 contains an overview of this tool and provides information on how to obtain it: http://support.microsoft.com/kb/930063 1. Install the BitLocker Driver Preparation Tool. If using Vista Ultimate, the tool can be obtained via Windows Updates. If using Vista Enterprise, it must be obtained using Microsoft’s Customer Support Services and installed from an executable file (pictured left). Click OK to continue 2. Wait whilst the update KB930063 is installed. 3. Read and accept the Microsoft Software License Terms. Click I Accept © Toshiba Information Systems (UK) Ltd. [Services Department] 4 4. Read and understand the warnings displayed. In particular, ensure that all critical data is backed up. Click Continue when ready. 5. The drive preparation tool will now prepare the hard drive for BitLocker. The following actions are carried out: - Drive C: will be shrunk - A new active partition S: is created - The drive is prepared for BitLocker 6. When the drive preparation is completed, click Finish. When prompted, click Restart Now in order to restart the computer. © Toshiba Information Systems (UK) Ltd. [Services Department] 5 Initialising the Security Platform 1. To start the Security Platform Initialisation Wizard, either click on the Security Platform state bubble (pictured below), or select the TPM icon from the system tray and choose Security Platform Initialization from the menu. Click Next > 2. On the Initialization: Initialize or restore screen, choose Security Platform initialization. Click Next > 3. Provide a Security Platform Owner Password. The password should be between 6 and 256 characters and can be changed later if required. Click Next > © Toshiba Information Systems (UK) Ltd. [Services Department] 6 4. Choose the security platform features that are required. Possible options are as follows: • Automatic Backup • Password Reset • BitLocker Drive Encryption (Recommended) (Optional) (Required) Ensure that BitLocker Drive Encryption is selected. Automatic Backup and Password Reset are optional although it is strongly recommended that the backup archive is configured. Click Next > 5. Provide a location for the Backup Archive. The location for the backup archive can either be on removable media, a network drive or the local hard drive. However, it is recommended that the backup archive is stored off the local hard drive in case of failure. If removable media is used, this media should be stored securely. Click Next > 6. Configure the Emergency Recovery Token. It is strongly recommended that the recovery token is saved to removable media in case of a hard drive failure. This removable media should be stored securely. Input a dedicated password for the token, between 6 and 256 characters. Click Next > © Toshiba Information Systems (UK) Ltd. [Services Department] 7 7. Configure the Password Reset Token. If the option to create a Password Reset Token was chosen during step 4, provide a location for the token, as well as a dedicated password, here. It is recommended that the token is saved to removable media and stored securely. Click Next > 8. Confirm settings. Click Next > “Security Platform initialization in progress. Please wait…” will appear underneath the existing text. When complete, click Next > 9. A summary is displayed to confirm that the security platform has been initialised successfully. It is recommended that the automatic backup is run at this stage. Check the box next to Run automatic backup now. Click Finish © Toshiba Information Systems (UK) Ltd. [Services Department] 8 At this stage, it is possible to set up the security features that TPM offers (right-click on the TPM icon in the system tray and select Security Platform User Initialization). However, completing the Security Platform User Initialization Wizard is not required for the purposes of BitLocker and is therefore not covered in this guide. © Toshiba Information Systems (UK) Ltd. [Services Department] 9 Enabling BitLocker (TPM Only – No PIN) NOTE: In order to set BitLocker up with the TPM plus the use of a startup PIN number, please go to straight to the next section entitled Enabling BitLocker (TPM + PIN). 1. Access BitLocker Drive Encryption via the Control Panel. Click Turn On BitLocker 2. Save the recovery password. It is important to save the recovery password for use in the event that BitLocker prevents the computer from starting up. For further information on why this can occur, click on Why BitLocker Driver Encryption might block your computer from starting. You may either choose to save the password to a USB drive, save it to a folder, or print it. For the purposes of this guide, the USB drive option is used. 3. Follow the onscreen instructions for saving the recovery password. Pictured left is the window that appears if the USB drive option is chosen. Click Save © Toshiba Information Systems (UK) Ltd. [Services Department] 10 4. Confirmation that the recovery password has been saved is displayed. Click Next 5. Run the BitLocker system check. Prior to the drive encryption process, it is recommended that a system check is run to ensure that BitLocker can read the recovery and encryption keys correctly. Check the box to the left of Run BitLocker system check and ensure that the USB drive is inserted. Click Continue and when prompted, Restart Now 6. After the computer has restarted, drive encryption will commence immediately. The encryption process can take several hours to complete, depending on the capacity of the hard drive being encrypted. Once encryption begins, it must be allowed to complete. 7. Notification is displayed when encryption is complete. The BitLocker setup is now complete. Since the TPM will release the required encryption keys on startup, the user should not be prompted to input any credentials. From a user’s perspective, there should be no difference in the general operation of the computer. © Toshiba Information Systems (UK) Ltd. [Services Department] 11 Enabling BitLocker (TPM + PIN) 1. Click Start and in the Start Search field, type gpedit.msc. Press enter. 2. When the Group Policy Object Editor opens (pictured below), locate the option Control Panel Setup: Enable advanced startup options from within Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption. Doubleclick to open the settings. 3. Under the Setting tab, select Enabled. 4. Ensure the box next to Allow BitLocker without a compatible TPM is unchecked. 5. Modify the drop-down options as pictured left. 6. Click OK to save settings. NOTE: If the option to require a startup PIN is chosen, the startup key option must be disallowed. 7. Access BitLocker Drive Encryption via the Control Panel. Click Turn On BitLocker © Toshiba Information Systems (UK) Ltd. [Services Department] 12 8. Click on the option Require PIN at every startup. For further information, click on What is a BitLocker Drive Encryption startup key or PIN? 9. Set a startup PIN number. Enter a numeric PIN between 4 – 20 digits in length. Confirm this PIN in the Confirm PIN field. When finished, click Set PIN 10. Save the recovery password. It is important to save the recovery password for use in the event that BitLocker prevents the computer from starting up. For further information on why this can occur click on Why BitLocker Driver Encryption might block your computer from starting. You may either choose to save the password to a USB drive, save it to a folder, or print it. For the purposes of this guide, the USB drive option is used. © Toshiba Information Systems (UK) Ltd. [Services Department] 13 11. Confirmation that the recovery password has been saved is displayed. Click Next 12. Run the BitLocker system check. Prior to the drive encryption process, it is recommended that a system check is run to ensure that BitLocker can read the recovery and encryption keys correctly. Check the box to the left of Run BitLocker system check and ensure that the USB drive is inserted. Click Continue and when prompted, Restart Now 13. After the computer has restarted, drive encryption will commence immediately. The encryption process can take several hours to complete, depending on the capacity of the hard drive being encrypted. Once encryption begins, it must be allowed to complete. 14. Notification is displayed when encryption is complete. The BitLocker setup is now complete. On each startup/reboot, the user will be prompted to enter the chosen PIN number using the keys F1 – F10. © Toshiba Information Systems (UK) Ltd. [Services Department] 14