Unattended Mount at Restart

BestCrypt Volume Encryption utilizes Trusted Platform Module (TPM) hardware available on many motherboards for the purpose of unattended reboot of computers with encrypted boot/system disk volume.

The feature is necessary to manage servers that are required to function around the clock. If such a server has boot/system volume encrypted, every reboot of the server requires manual entry of a password at boot time. This poses a problem when the server must be rebooted automatically: for example, when the installation of operating system updates requires a reboot of the server. System administrators typically configure automatic reboots to happen at times when minimum activity is running on the server (in the middle of the night for example). If a system/boot disk of the server is encrypted, during reboot the server will display the password prompt at boot time. The operating system will not boot until the administrator enters password when he/she appears in front of the server console next morning. In the mean time, the server will still be waiting to boot.

The option to reboot the computer without requiring to enter password at boot time exposes a security risk. For example, someone can turn off the computer, take it out of the company, turn it on again and get its boot/system volume mounted. If Mount at boot time option is set for a non-system data volume, it will also be mounted for access automatically.

To minimize the security risk as much as possible, BestCrypt Volume Encryption does the following:

• During reboot, the software stores the encryption key in the Trusted Platform Module. It is a special hardware designed to be as secure as possible. The key does not appear in a written form in any sector on the hard drive.
• The administrator can limit the time period when the computer reboots automatically, for example from 23:30 to 00:30, so that only during the specified time the computer would not require to enter the boot-time password.
• The administrator can limit the number of times the computer reboots without requiring to enter the boot-time password. For example, if the reboot expected to happen only once, the administrator can set the number of unattended reboots allowed to 1.

To set the option, run the command Options->Unattended mount at restart. The following dialog window will appear.

The window explains the security concerns that the user should understand and requires marking corresponding checkbox to activate the option.

The dialog window also explains how the user may set restrictive settings for the option to make its use more secure: limit the time period when the option is active and limit number of times the computer can be reboot in unattended mode.

The Unattended Mount At Restart option can be activated only on computers with Trusted Platform Module (TPM) hardware.

Only a user with administrative privileges can set this option or change its settings.

Initializing TPM Owner Password

To be able to work with the TPM hardware, the software must enter TPM Owner Password. It is required once only, when the user runs the "Unattended mount at restart" command for the first time.

In versions of Windows before Windows 10 the user configured the Password with some utility provided by the TPM hardware vendor. Hence, the user is aware of the Password and can enter it when the software asks about the password.

The way of configuring TPM software by the user called "Legacy" in Windows 10, although it is still possible to do that. In this case Windows 10 will refuse using the TPM hardware, for example, to encrypt disk with its BitLocker utility.

There are two other ways of utilizing TPM that Windows 10 prefers:

1. Windows 10 itself generates random TPM Owner password and then remembers it for the case when some other program may need it;
2. Windows 10 itself generates random TPM Owner password, initializes everything Windows needs for its own purposes and then forgets the password forever. In this case other software have no chance to use TPM. This is a default Windows 10 behavior.

The way of generating TPM Owner Password can be configured in the following Windows 10 Registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM" where value "OSManagedAuthLevel" can be set to one of the follwing:

• 0 - Windows 10 will allow configuring TPM in "Legacy" mode
• 2 - Windows 10 generates random TPM Owner password, but after initializing its own modules will erase the password. Default value
• 4 - Windows 10 generates random TPM Owner password and remebers it

Read more about the TPM settings in Windows 10 in Microsoft Change the TPM owner password article.

Configuring TPM Owner Password in Windows 10

To be able to use BestCrypt Volume Encryption command "Unattended mount at restart" in Windows 10, you should configure Windows 10 so that it would generate random TPM Owner password and remember it.

NOTE: When you change the way of managing TPM Owner Password in Windows 10, the operating system erases its keys stored in TPM hardware. So if you have some disk encrypted with Windows BitLocker, please decrypt it before changing the TPM settings.

Do the following to configure Windows 10 TPM settings:

1. Run Regedit.exe program and set value "OSManagedAuthLevel" in "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM" key to 4
2. Run Windows TPM configuration utility "tpm.msc"
3. Run command "Clear TPM" in the "tpm.msc" utility and reboot the computer
4. After rebooting the computer Windows will generate TPM Owner Password again and will remember it for further use
5. Run Windows utility "TpmInit.exe". In the appeared dialog window click "Remember my TPM owner password" to save the password to a file
6. Run BestCrypt Volume Encryption command "Unattended mount at restart". When you set the options in the appeared dialog windowe and click "OK" button, the following window will appear:

Select option Browse file with the password and enter path to the file where you have saved the TPM Password.

The software will accept the password and configure the TPM hardware for further use of the option. There will be no need anymore to enter TPM Owner Password again in the software. The user can even return the default Windows option back to erase the password and even run Clear TPM command in Windows tpm.msc utility. BestCrypt Volume Encryption will be able to work with TPM after a single successful action to configure TPM for its own purposes.

See also: