2

As the title sugegsts, I'm trying to figure out when the TPM chip in a computer begins the decryption process to be able to boot a drive encrypted with BitLocker. Or, where could I find more information about it?

arved
  • 4,401
  • 4
  • 30
  • 53
user16776326
  • 31
  • 2
  • Just activate TPM+PIN, then Windows will show you that everything is ready for Bitlocker decryption when it asks for the PIN. As the while system drive is encrypted this happens very early in the boot process. – Robert Sep 20 '21 at 16:10

1 Answers1

2

In case of UEFI:

  • UEFI loads and starts the Microsoft bootloader from the (plain) EFI partition
  • The bootloader reads the Bitlocker meta data sectors from the encrypted partition
  • If a TPM+Pin protector exists the bootloader shows the pin dialog
  • The sealed key and a value derived from the pin are sent to the TPM
  • The TPM unseals the key and sends it back to the bootloader
  • The bootloader can now access the encrypted partition

The drive is not decrypted as a whole, every sector is decrypted/encrypted when it is accessed.

You can find information about the meta data here and the tpm specification here.

MiSimon
  • 1,225
  • 1
  • 8
  • 10