Pre-boot authentication settings

The Authentication type tab

Your choice of pre-boot authentication type (PBA) differs depending on whether the computers whose hard disks you want to encrypt contain a Trusted Platform Module (TPM) or not.

In the example below, the BitLocker pre-boot authentication is explicitly used. For information about DriveLock pre-boot authentication for BitLocker, refer to the corresponding chapter.

The following options are available on the Authentication type tab:

  1. Select the first option No pre-boot authentication,

    • if there is a TPM built in on the hard disks you want to encrypt. In this case, an additional authentication when booting the computer is not required.

      The protector DriveLock uses is called TPM only.

    • Here, BitLocker accesses a TPM which has to be activated first in BIOS.
    • If you chose this option, you can close the dialog and continue because you do not need to specify a password on the next tab.

  2. Select the second option BitLocker pre-boot authentication (see figure),

    • if there is no TPM built in on the hard disks you want to encrypt or if you are not sure whether it is active.
    • In this case, DriveLock uses the original Windows BitLocker PBA.
    • Open the Password options tab to specify a password or to select one of the other options.

  3. In both cases, we recommend checking the Automatically unlock all data partitions check box. With this option set, both the system partition and all data partitions are unlocked after authentication on the computers you assign the BitLocker policy to.

    Unlike Microsoft, DriveLock unlocks the data partitions automatically for all users of a computer. The unlocking process by DriveLock BitLocker Management works independently of the Windows Bitlocker functionality; this means, for example, that the call manage-bde -status still returns "Automatic Unlock: Disabled" for drives that DriveLock unlocks.

  4. The Mitigate TPM security ... option can be used to customize the TPM platform validation. The option is useful, for example, when BitLocker-encrypted laptops keep requesting the recovery key whenever the laptop is not connected to its docking station. The new option affects all types of pre-boot authentication, as DriveLock uses TPM-based protection mechanisms where TPM is available (TPM only, TPM/PIN, TPM/StartupKey). The option is disabled by default.

    The Password options tab

    There are different options available:

    The options on this tab are only available if you have selected BitLocker pre-boot authenticationas the authentication type.

    In this case, none of the other tabs are active, because the options on these tabs refer exclusively to the authentication type DriveLock pre-boot authentication.

     

    1. You specify a BitLocker password and select none of the other options in the in the top part of the dialog:

      • The encryption process starts when you activate it and/or assign the policy. The user of the client computer is allowed to change the password later or continues to use the password you specified.

        Please note that you are responsible for communicating the password to the users over a secure channel.

    2. You check the User cannot change password box:

      • Please specify a fixed password which the user can never change. The initial encryption process starts automatically even without the user being logged on to the client computer, after you activate it and/or assign the policy.

      • As soon as the user starts the computer, the BitLocker password must be entered to unlock the encrypted hard disks.

        Please provide users with the appropriate password information over a secure channel.

      • The password is entered independently of the encryption progress, i.e. as soon as encryption is started, the BitLocker password must be entered in the PBA.

    3. You check the User must change password option (see figure):

      • The user can specify a password, you do not enter a password here.
      • If required, you can define the requirements the user password must meet.
      • The encryption process starts as soon as the user specifies the password.
      • The password may be changed later.

    The options below Password must meet the following requirements: provide precise criteria that a password assigned by the user must meet. The option is selected by default.

    1. You can select the Allow numbers only option if all client computers are equipped with a TPM which means that 6 characters are allowed.

      If there is no TPM on client computers or non-system partitions need to be encrypted as well, the default is still at least 8 characters. (Microsoft default for passwords on data partitions).

    2. The Allow numbers and Latin based characters option restricts the usage of allowed characters. Special characters can no longer be used with this setting. Please note the information in the BitLocker pre-boot authentication chapter.

    3. With the A valid password must contain at least... options you define the number of letters, numbers and special characters:

      • The password may be between 8 and 20 characters long. A number below 8 or higher than 20 leads to an error message.
      • Define the minimum requirements (number of letters, number, special characters etc.).
      • If you select the Treat numbers as special characters option, numbers count as numbers and also as special characters. Please make sure that the numbers and special characters correspond.

    If you want to set individual passwords for individual client computers, you can do so in the DriveLock Control Center. Here you can also monitor the encryption progress. Please refer to BitLocker Management in the DriveLock Control Center (DCC) for more information.