Protecting Your Data on the Microsoft Surface

If you know me, you know that I love the Microsoft Surface. It's one of the best devices available to run Windows. I love the Surface so much that I have three of them. I use a Surface Pro 3 as my primary computer at work and I personally own a Surface Pro 2 and Surface 3. I pretty much carry a Surface with me all the time. I am also mindful of where it is at all times, but what if my Surface was lost or stolen. Who would gain access to my data? BitLocker Drive Encryption using the Trusted Platform Module technology allows Surface users to lock data until specific hardware or software conditions are met.

The Surface Pro models and the Surface 3 boots off of a Unified Extensible Firmware Interface (UEFI) and works in conjunction with a Trusted Platform Module to guarantee the integrity of the Surface during both boot and runtime. The TPM combined with the UEFI verifies the boot loader and then loads the Windows OS. A Trusted Platform Module (TPM) is a specialized microchip built onto the board the that stores RSA (Rivest-Shamir-Adleman) encryption keys specific to the Surface for hardware authentication. This means that cryptographic keys can be created and encrypted so that they can be decrypted only by the TPM on the Surface. When the TPM generates encryption keys, it keeps half of the key information to itself, making it impossible to recover data from an encrypted drive that is removed from its original computer. So even if someone gets the user's part of the encryption key or disk password, the TPM-protected drive's contents can't be read even if it's connected to another computer. In addition, because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely on Windows and therefore is not exposed to external software vulnerabilities.

In addition to the TPM chip, the Surface also utilizes Microsoft BitLocker Drive Encryption. BitLocker is a full disk encryption (FDE) feature found in the Professional and Enterprise versions of Windows that uses the Advanced Encryption Standard (AES) encryption algorithm with either 128-bit or 256-bit keys. BitLocker works by encrypting the entire hard drive that your data resides on. The primary purpose of encryption is to protect the confidentiality of data stored on a computer.  Full disk encryption (also known as whole disk encryption) basically means that the entire hard drive of a computer is encrypted so when it's turned off, no one can access the data on the drive. When the computer is turned on, the user has to successfully authenticate in order to decrypt the hard drive in order to access the data.  What this means is that if your Surface is lost or stolen, no-one can get at your files, even if they break it open and connect the SSD to another computer. Furthermore, if BitLocker detects a potential security risk to your computer (e.g. multiple invalid login attempts), it will lock Windows and require a special BitLocker recovery key to unlock it. One thing that is important to remember that while all data on the device is fully protected and encrypted while the computer is shut down, if the computer is left on and left unattended (going to get that refill at Starbucks), data is vulnerable and can be accessed.

Overall, the Surface was designed to work with BitLocker, which coordinates its activities with the TPM chip to provide hardware-based device authentication, tamper detection, and encryption key storage. The entire hard drive and all its contents remain encrypted and locked until the TPM verifies that the Surface hasn’t been tampered with. Doing so helps prevent a nefarious person from accessing your Surface in an attempt to discover your personal files or anything else you have stored on the it.