19

Will I lose my files? Will Windows keep booting?

I'm running Windows 10 without TPM enabled. My system supports TPM 2.0, but it's currently disabled, and since it seems that the new Windows 11 will need that feature, I wonder if I can be enabled now to be ready.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
E_Blue
  • 713
  • 2
  • 7
  • 20

2 Answers2

25

By itself the TPM does nothing. It does not magically encrypt your disk, nor does it prevent your system booting.

The TPM is simply a secure enclave that provides security facilities.

It is where operating system programs such as Bitlocker can store keys.

If you have encrypted your disk then upon booting the (unencrypted) Bitlocker bootloader queries the key from the TPM and proceeds to transparently decrypt the disk. If the hard drive bitlocker booted from is removed from that PC and put in another then it will fail to find a key in the TPM, and will therefore be unable to decrypt the disk.

The TPM cannot do anything without your operating system or programs doing work with it. Just "enabling" the TPM will do absolutely nothing and will not by itself make files inaccessible.

Mokubai
  • 89,133
  • 25
  • 207
  • 233
  • 3
    If you have the "recovery key" which bitlocker usually ask to store in your Microsoft account then you should be able to unlock the disk that way. – Mokubai Jun 25 '21 at 05:56
  • 4
    Then the question is whether simply "enabling" it will cause Windows to use it automatically. – user253751 Jun 25 '21 at 09:37
  • So, can't be done offline? – E_Blue Jun 25 '21 at 09:50
  • 2
    @E_Blue you can go online and, I believe, write down or print out your recovery key on a piece of paper. https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-10-6b71ad27-0b89-ea08-f143-056f5ab347d6 "Your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system" you do have to have printed off the recovery key beforehand or have access to the account to get the key somehow. – Mokubai Jun 25 '21 at 12:00
  • If I have dual boot the non Windows OS will not be able to access my files. Correct? If so, I hope that feature will be deactivatable. – E_Blue Jun 25 '21 at 13:20
  • 2
    Bitlocker will need to be disabled so that your installer for the alternative OS can see and resize the disk partitions, after that you can re-enable bitlocker for the partitions as required. https://itsfoss.com/dual-boot-ubuntu-windows-bitlocker/ – Mokubai Jun 25 '21 at 13:27
  • You mean that I can active Bitlocker for some partitions and for some other don't? – E_Blue Jun 25 '21 at 14:07
  • 2
    Yes. Bitlocker is a **volume** (partition) encryption system, not 100% disk encryption. See https://en.wikipedia.org/wiki/BitLocker#Operation Your system is secure because under normal circumstances your swap and all other potential "leak" paths, such as your swap file, are on your system partition. You could potentially leak data by putting your swap file or other sensitive documents on unencrypted partitions on the same disk. From Disk Management, the UEFI boot partition and recovery partitions are unencrypted while the "system" partition is encrypted: https://i.stack.imgur.com/jfkk2.png – Mokubai Jun 25 '21 at 14:54
  • @E_Blue You can have recovery keys stored in many places: your Microsoft Account, a print out, a text file on another volume or device, or even Active Directory. Windows will not let you turn on Bitlocker without at least ONE option being used. TPM does not equal Bitlocker, but they pair well together. – Canadian Luke Jun 25 '21 at 16:52
  • @E_Blue - Your question makes no mention of BitLocker. Why are you worried about a feature that until you asked this question probably were not even aware existed and how does it relate to simply enabling the option within your firmware? – Ramhound Jun 25 '21 at 21:13
  • @Ramhound I did not mention of BitLocker because at that time I was not aware of how TPM works and why Windows 11 will need it. Also, like Microsoft force everybody to be update constantly I don't want to, one day, turn on the PC and not be able to use it or get all my disks encrypted. All these from the point of view that I wasn't aware about how all this works. I already had bad experiences with UEFI and RAID, lost a lot of data, I don't want that again. – E_Blue Jun 26 '21 at 00:15
  • You do understand Windows 11 updates will continue to be required, I have my suspicions, that Windows 11 won’t support deference of updates like Windows 10 does. Insecure devices, and Microsoft being blamed for problems with those devices, is a huge problem for Microsoft. There isn’t a single other operating system other than Linux that doesn’t force updates to the device. Even Linux is starting to change. – Ramhound Jun 26 '21 at 01:05
10

Will I lose my files?

You absolutely will not lose your files. You don't have to even download drivers. Unless you use software that loads a key into your TPM, the functionality will simply be enabled, waiting to be used by the software.

The only software that I am aware of that even uses it on Windows would be BitLocker.

I wonder if I can be enabled now to be ready.

I enabled it on my personal machine without an issue.

Will Windows will keep booting?

It absolutely will keep booting.

Ramhound
  • 41,734
  • 35
  • 103
  • 130
  • 4
    TPM's a tool stuff uses - unless you set up bitlocker your disk won't get encrypted as do other tools. I just turned on the embedded TPM on my system and... nothing happened – Journeyman Geek Jun 25 '21 at 06:27