here - Toshiba

advertisement
Programme Revision:
Released:
Last Document Update:
Version 1.0
March 2008
March 2008
Author:
Erika Hughes
© Toshiba Information Systems (UK) Ltd. [Services Department]
1
Introduction
This document is provided in order to offer guidance and assistance in setting up BitLocker Drive
Encryption with the Trusted Platform Module.
It is strongly recommended that you read and understand each of the steps detailed herein before you
begin carrying them out. In the event that you do not understand anything described, you are advised
to refer to the reseller or place of purchase of the computer for assistance. Toshiba Information
Systems (UK) Limited cannot accept responsibility for any damage or loss of data (or any
consequential losses) that may occur either directly or indirectly in the event that the instructions within
this document are not correctly followed.
The instructions contained within this document have been tried and found to work. However, Toshiba
Information Systems (UK) Limited is not responsible for any updates or changes that may occur with
the third-party hardware which may affect the validity of the information contained herein. You are
therefore advised to use all of this information as a point of reference only and raise any queries you
may have with your reseller or place of purchase.
NOTE: Please ensure that the Infineon Security Platform Utility for the Trust Platform Module has
been installed prior to setting up BitLocker. This can be downloaded from the Toshiba UK
website under the ‘Drivers and Downloads’ page for your relevant notebook model:
http://uk.computers.toshiba-europe.com
© Toshiba Information Systems (UK) Ltd. [Services Department]
2
Activating the Trusted Platform Module
1. While switching on the computer hold down the Esc key.
2. If you are asked to enter a password this must be the Supervisor password in order to gain
access to the System Setup screen.
3. At the Check system. Then press [F1] key. prompt press the F1 key.
4. With the System Setup screen displayed press the PgDn key to view the second screen of
System Setup.
5. Use the arrow keys to navigate the highlighted box to the Security Controller section.
6. With Disabled highlighted for TPM press the space bar so that Enabled is shown.
7. A prompt will appear highlighted at the foot
of the display - Save changes to Security
Controller now? (Y/N) – where you should
press Y.
8. Press the End key to save your changes
and exit the System Setup, then press Y at
the following confirmation prompt.
Enabling TPM in the BIOS
9. The system will now reboot into the
operating system.
© Toshiba Information Systems (UK) Ltd. [Services Department]
3
Running the BitLocker Drive Preparation Tool
The BitLocker Drive Preparation Tool is used to correctly prepare the computer for BitLocker Drive
Encryption. Microsoft Knowledge Base Article 930063 contains an overview of this tool and provides
information on how to obtain it:
http://support.microsoft.com/kb/930063
1. Install the BitLocker Driver Preparation Tool.
If using Vista Ultimate, the tool can be obtained
via Windows Updates. If using Vista Enterprise, it
must be obtained using Microsoft’s Customer
Support Services and installed from an
executable file (pictured left).
Click OK to continue
2. Wait whilst the update KB930063 is installed.
3. Read and accept the Microsoft Software License
Terms.
Click I Accept
© Toshiba Information Systems (UK) Ltd. [Services Department]
4
4. Read and understand the warnings displayed. In
particular, ensure that all critical data is backed
up.
Click Continue when ready.
5. The drive preparation tool will now prepare the
hard drive for BitLocker. The following actions
are carried out:
- Drive C: will be shrunk
- A new active partition S: is created
- The drive is prepared for BitLocker
6. When the drive preparation is completed, click
Finish.
When prompted, click Restart Now in order to
restart the computer.
© Toshiba Information Systems (UK) Ltd. [Services Department]
5
Initialising the Security Platform
1. To start the Security Platform Initialisation
Wizard, either click on the Security Platform
state bubble (pictured below), or select the TPM
icon from the system tray and choose Security
Platform Initialization from the menu.
Click Next >
2. On the Initialization: Initialize or restore screen,
choose Security Platform initialization.
Click Next >
3. Provide a Security Platform Owner Password.
The password should be between 6 and 256
characters and can be changed later if
required.
Click Next >
© Toshiba Information Systems (UK) Ltd. [Services Department]
6
4. Choose the security platform features that are
required. Possible options are as follows:
• Automatic Backup
• Password Reset
• BitLocker Drive Encryption
(Recommended)
(Optional)
(Required)
Ensure that BitLocker Drive Encryption is
selected. Automatic Backup and Password
Reset are optional although it is strongly
recommended that the backup archive is
configured.
Click Next >
5. Provide a location for the Backup Archive.
The location for the backup archive can either
be on removable media, a network drive or the
local hard drive. However, it is recommended
that the backup archive is stored off the local
hard drive in case of failure.
If removable media is used, this media should
be stored securely.
Click Next >
6. Configure the Emergency Recovery Token.
It is strongly recommended that the recovery
token is saved to removable media in case of a
hard drive failure. This removable media
should be stored securely.
Input a dedicated password for the token,
between 6 and 256 characters.
Click Next >
© Toshiba Information Systems (UK) Ltd. [Services Department]
7
7. Configure the Password Reset Token.
If the option to create a Password Reset Token
was chosen during step 4, provide a location for
the token, as well as a dedicated password,
here.
It is recommended that the token is saved to
removable media and stored securely.
Click Next >
8. Confirm settings.
Click Next >
“Security Platform initialization in progress.
Please wait…” will appear underneath the
existing text. When complete, click Next >
9. A summary is displayed to confirm that the
security platform has been initialised
successfully.
It is recommended that the automatic backup is
run at this stage. Check the box next to Run
automatic backup now.
Click Finish
© Toshiba Information Systems (UK) Ltd. [Services Department]
8
At this stage, it is possible to set up the security
features that TPM offers (right-click on the TPM
icon in the system tray and select Security
Platform User Initialization).
However, completing the Security Platform User
Initialization Wizard is not required for the
purposes of BitLocker and is therefore not covered
in this guide.
© Toshiba Information Systems (UK) Ltd. [Services Department]
9
Enabling BitLocker (TPM Only – No PIN)
NOTE: In order to set BitLocker up with the TPM plus the use of a startup PIN number, please go to
straight to the next section entitled Enabling BitLocker (TPM + PIN).
1. Access BitLocker Drive Encryption via the
Control Panel.
Click Turn On BitLocker
2. Save the recovery password.
It is important to save the recovery password for
use in the event that BitLocker prevents the
computer from starting up. For further
information on why this can occur, click on Why
BitLocker Driver Encryption might block your
computer from starting.
You may either choose to save the password to a
USB drive, save it to a folder, or print it.
For the purposes of this guide, the USB drive
option is used.
3. Follow the onscreen instructions for saving the
recovery password.
Pictured left is the window that appears if the
USB drive option is chosen.
Click Save
© Toshiba Information Systems (UK) Ltd. [Services Department]
10
4. Confirmation that the recovery password has
been saved is displayed.
Click Next
5. Run the BitLocker system check.
Prior to the drive encryption process, it is
recommended that a system check is run to
ensure that BitLocker can read the recovery and
encryption keys correctly.
Check the box to the left of Run BitLocker
system check and ensure that the USB drive is
inserted.
Click Continue and when prompted, Restart
Now
6. After the computer has restarted, drive encryption
will commence immediately.
The encryption process can take several hours to
complete, depending on the capacity of the hard
drive being encrypted. Once encryption begins, it
must be allowed to complete.
7. Notification is displayed when encryption is
complete.
The BitLocker setup is now complete. Since the
TPM will release the required encryption keys on
startup, the user should not be prompted to input
any credentials. From a user’s perspective, there
should be no difference in the general operation
of the computer.
© Toshiba Information Systems (UK) Ltd. [Services Department]
11
Enabling BitLocker (TPM + PIN)
1. Click Start and in the Start Search field, type gpedit.msc. Press enter.
2. When the Group Policy Object Editor opens (pictured below), locate the option Control Panel
Setup: Enable advanced startup options from within Computer Configuration →
Administrative Templates → Windows Components → BitLocker Drive Encryption. Doubleclick to open the settings.
3. Under the Setting tab, select Enabled.
4. Ensure the box next to Allow BitLocker without
a compatible TPM is unchecked.
5. Modify the drop-down options as pictured left.
6. Click OK to save settings.
NOTE: If the option to require a startup PIN is
chosen, the startup key option must be
disallowed.
7. Access BitLocker Drive Encryption via the
Control Panel.
Click Turn On BitLocker
© Toshiba Information Systems (UK) Ltd. [Services Department]
12
8. Click on the option Require PIN at every
startup.
For further information, click on What is a
BitLocker Drive Encryption startup key or
PIN?
9. Set a startup PIN number.
Enter a numeric PIN between 4 – 20 digits in
length. Confirm this PIN in the Confirm PIN field.
When finished, click Set PIN
10. Save the recovery password.
It is important to save the recovery password for
use in the event that BitLocker prevents the
computer from starting up. For further
information on why this can occur click on Why
BitLocker Driver Encryption might block your
computer from starting.
You may either choose to save the password to a
USB drive, save it to a folder, or print it.
For the purposes of this guide, the USB drive
option is used.
© Toshiba Information Systems (UK) Ltd. [Services Department]
13
11. Confirmation that the recovery password has
been saved is displayed.
Click Next
12. Run the BitLocker system check.
Prior to the drive encryption process, it is
recommended that a system check is run to
ensure that BitLocker can read the recovery and
encryption keys correctly.
Check the box to the left of Run BitLocker
system check and ensure that the USB drive is
inserted.
Click Continue and when prompted, Restart
Now
13. After the computer has restarted, drive encryption
will commence immediately.
The encryption process can take several hours to
complete, depending on the capacity of the hard
drive being encrypted. Once encryption begins, it
must be allowed to complete.
14. Notification is displayed when encryption is
complete.
The BitLocker setup is now complete. On each
startup/reboot, the user will be prompted to enter
the chosen PIN number using the keys F1 – F10.
© Toshiba Information Systems (UK) Ltd. [Services Department]
14
Download