Using BitLocker without a Trusted Platform Module

摘要

Microsoft introduced BitLocker Drive Encryption (BDE), or BitLocker, in Windows Server 2008 and Windows Vista. BitLocker offers volume-level data encryption for data stored on Windows clients and servers and protects the data when systems are offline (i.e., when the OS is shut down). BitLocker can prevent data breaches such as the theft of confidential corporate data on employee laptop computers. In previous Windows versions this protection wasn't possible without a third-party product. BitLocker can also offer an integrity-checking mechanism that makes the OS itself more resilient in the face of attacks. When BitLocker is applied to the system volume, it can provide a file-integrity checking feature that automatically assesses the status of boot files such as the BIOS, Master Boot Records (MBRs), and the NTFS boot sector when the system boots and before the OS starts. If a hacker inserts malicious code into one of the boot files or modifies one of the files, BitLocker will detect it and block the OS from starting.