Using BitLocker with TPM Machines
If your machine supports TPM (most newer hardware does) you will not be asked to enter a passcode or provide an external key to boot the machine. Essentially, the Windows user login and general experience remains unchanged, but the data is secure and protected from unauthorized access. If you want to learn more about TPM and how the TPM security model was built to minimize user annoyance while improving security, please visit Windows Trusted Platform Module Technology Overview.
Using BitLocker with Non-TPM Machines
If your machine does not support TPM, DriveStrike will require that you provide a passphrase that will be used to encrypt the data on the machine. This passphrase is required to boot the machine from this point forward until BitLocker is disabled. The passphrase option and TPM are mutually exclusive, so if your machine has a TPM, you will not be able to set a passphrase, and if it does not have a TPM, you will need to set a passphrase.
Additional Features
Escrowed Recovery Key – DriveStrike retains a copy of the recovery key file for all machines that have BitLocker enabled through DriveStrike. This ensures that administrators have an encryption key to unlock encrypted data when needed. A link to download the recovery key for each encrypted drive is displayed in the Device Details section within DriveStrike.
Stored Passphrase – When a passphrase is used to encrypt data, DriveStrike stores and displays the passphrase next to the associated drive within the Device Details section.
Additional Lock Option – Administrators can optionally force recovery mode through DriveStrike Remote Lock. Forced recovery mode removes the TPM key and requires a passphrase or an external key file to boot the machine and access the encrypted data. Downloading the DriveStrike escrowed key to the root of a USB drive prepares the USB to be used at boot to unlock the machine.
Change Encryption Key – Administrators can change the passphrase or recovery key for any drive. This allows Administrators to securely lock out insiders while retaining access to the data on the machine (assuming the physical hardware is not destroyed).
Disable Encryption – Administrators can remotely disable encryption for the physical drives on the machine.