Mortgage Software Solutions Blog

Can Your Mortgage Business Use BitLocker Without TPM?

Written by Justin Kirsch | Thu, Sep 29, 2016

The theft of a computer can be bad news for your mortgage business. It's not just the cost of replacing it; insurance should cover that. It's the prospect of letting confidential information into the hands of thieves. Confidentiality is vital to the mortgage business. Even computers sitting on desktops can be stolen.

Encrypting the entire disk drive helps to protect against data theft. As long as a user isn't logged in and active, thieves won't be able to read anything on the drive. It just needs to be set up once and after that, it's transparent. A logged-in user sees files just as if they weren't encrypted.

BitLocker for Full Disk Encryption

On Windows, there are several ways to do this. Windows 10 Professional and some older versions include a tool called BitLocker. An open-source alternative called TrueCrypt used to be available, but it's no longer supported and may have uncorrected problems.

There's a limitation on BitLocker, though. It requires a hardware device called the TPM, or Trusted Platform Module. The TPM provides an extra layer of security by storing passwords and keys in a secure form. Not all computers come with one, but some machines let you add one. It's logically tied to one computer and won't disclose its information if moved to another one. Windows 10 requires a version 1.2 TPM.

The way the encryption works may need a little explaining. You access the encrypted disk by logging in, but your password isn't the encryption key. The actual key is a long string of characters, and the TPM is needed to get it.

BitLocker Without TPM

It's not clear whether a TPM really makes BitLocker much more secure. If someone steals a computer, they're usually stealing the motherboard, disk drive, and TPM all at the same time. If your computer doesn't have one, it's still possible to use BitLocker, though it takes extra work.

The TPM provides other security benefits, though, so it is worth having. It checks if a drive or the boot loader has been tampered with. It lets the user store passwords and other credentials safely. Some older computers, however, don't support it.

Security Options

You can set up BitLocker to write a USB key, or you can have it require an additional password. If you use the USB key, you'll have to insert it each time you boot the computer. This approach may provide better security, since it requires an external device or piece of information. You can also use one or both of these options, if you do have a TPM, for the highest possible security.

BitLocker, even without a TPM, provides a reasonable level of security, but only if the user is careful. Don't carry the USB key around in the same bag as the computer (or permanently plugged into the computer). That defeats the whole point of having it. At the same time, don't lose the key.

If you're worried about losing the USB key, you can set up your Microsoft account so that you can get a recovery key if you ever need to. This creates an additional risk at the same time, since someone could conceivably steal it from the account. If this is a concern, you can print out the key, put it in a locked box, and delete it from the server. (Don't store a written copy of either your recovery key or your Microsoft password with your computer!)

Keep it Safe

Whichever approach you prefer, having an encrypted drive is significantly safer than having an unencrypted drive. If someone steals a laptop computer with customer information, it's better if the thief gets only the hardware. Requiring BitLocker on all Windows computers that your business uses gives security a strong boost. Even if not all of them have TPM hardware, they still benefit from encryption. Just make sure employees don't take shortcuts that undercut the benefits.

Access Business Technologies provides secure cloud hosting services for the mortgage industry. Our state-of-the-art vulnerability management solutions, like DeviceGuardianā„¢ and DocumentGuardianā„¢, help provide you with the added security you need against mortgage cyber-attackers. This type of added security can be especially crucial when used with computer equipment utilized in mortgage operations. For more information, please contact us.