BitLocker Agent Settings (Add Key Protector)

The Add BitLocker Key Protector tool adds a key protector to the volume protected with Microsoft BitLocker Drive Encryption. When a user accesses a drive protected by BitLocker, such as when starting a computer, BitLocker requests the relevant key protector. For example, the user can enter a PIN or provide a USB drive that contains a key. BitLocker retrieves the encryption key and uses it to unlock the data from the drive.

Key Protectors Types:

There are several types of Key Protectors:

  • Trusted Platform Module (TPM). BitLocker uses the computer’s TPM to protect the encryption key. If you specify this protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM, and the system boot integrity is intact. In general, TPM-based protectors can only be associated with an operating system volume.
  • TPM and Personal Identification Number (PIN). BitLocker uses a combination of the TPM and a user-supplied PIN. A PIN is four to twenty digits or, if you allow enhanced PINs, four to twenty letters, symbols, spaces, or numbers.
  • TPM, PIN, and startup key. BitLocker uses a combination of the TPM, a user-supplied PIN, and input from a USB memory device that contains an external key.
  • TPM and startup key. BitLocker uses a combination of the TPM and input from a USB memory device. Startup key. BitLocker uses input from a USB memory device that contains the external key.
  • Password. BitLocker uses a password. Recovery key. BitLocker uses a recovery key stored as a specified file in a USB memory device.
  • Recovery password. BitLocker uses a recovery password.
  • Active Directory Domain Services (AD DS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector.

When selecting volumes there are some limitations to encrypting a Windows System volume. Make sure to read the Microsoft documentation on these limitations before attempting to encrypt a system drive.

Encryption Size:

The encryption size in BitLocker refers to the length of the encryption key used to secure your data. BitLocker uses the Advanced Encryption Standard (AES) algorithm, and you can choose between two key lengths: 128-bit and 256-bit.

Here’s what the key lengths mean:

  1. 128-bit Encryption:
    • Security: Provides a high level of security and is generally considered sufficient for most purposes.
    • Performance: Offers faster encryption and decryption speeds compared to 256-bit encryption, which can be beneficial for performance-sensitive environments.
  2. 256-bit Encryption:
    • Security: Offers an even higher level of security due to the longer key length, making it more resistant to brute-force attacks.
    • Performance: Slightly slower in terms of encryption and decryption speeds compared to 128-bit encryption, but the difference is often negligible for most users.

Choosing the right encryption size depends on your specific needs. If you prioritize performance and the data isn’t extremely sensitive, 128-bit encryption is a good choice. If you need the highest level of security, especially for highly sensitive data, 256-bit encryption is the way to go.

Skip Hardware Test:

When you choose to skip the hardware test while encrypting a volume with BitLocker, it means that the encryption process will start immediately without performing a preliminary check to ensure that the hardware (such as the TPM – Trusted Platform Module) is correctly configured and can be used to boot the computer.

Typically, the hardware test acts as a “dry run” to verify that all key protectors are properly set up and that the system can start without issues. By skipping this test, you avoid the need for a reboot before encryption begins. However, this might bypass some initial validation steps that ensure the encryption process will proceed smoothly.

How can we help?