编辑“︁BitLocker”︁（章节）

== 加密模式 ==
有三种认证机制可以用来构建BitLocker加密<ref>{{cite web|url=http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/analysis/4e6ce820-fcac-495a-9f23-73d65d846638.mspx|title=BitLocker Drive Encryption|accessdate=2007-09-05|date=2007-04-04|work=Data Encryption Toolkit for Mobile PCs: Security Analysis|publisher=Microsoft|archive-url=https://web.archive.org/web/20071023233150/http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/analysis/4e6ce820-fcac-495a-9f23-73d65d846638.mspx|archive-date=2007-10-23|dead-url=yes}}</ref>：
* 透明运行模式：此模式使用[[可信平台模块|TPM]] 1.2硬件的功能来透明运行。此模式下，用户在无感知的情况下正常启动并登录到Windows。用于[[磁盘加密]]的密钥由[[可信平台模块|TPM]]芯片密封（加密），且在未检测到有对早期启动组件的修改的情况下被释放到操作系统加载代码中。因为其允许攻击者[[啟動程式|启动]]已关闭电源的机器，所以这种模式很容易受到[[冷启动攻击]]。
* 用户认证模式：此模式要求用户以预引导[[PIN]]或密码的形式向预引导环境提供认证。
* USB密钥模式：用户必须将包含启动密钥的USB设备插入计算机才能启动受保护的操作系统。此模式要求受保护机器上的BIOS支持在操作系统预加载阶段读取USB设备。密钥还可以通过使用{{le|CCID (协议)|CCID (protocol)|CCID}}（芯片卡接口设备）读取加密[[智能卡]]获得。使用CCID比单纯将密钥文件存储在外部[[U盘]]更安全，因为CCID协议使用嵌入在智能卡中的加密处理器隐藏私钥，防止密钥因智能卡内容泄露而被简单获取。

上述认证机制支持以下组合，全部具有可选的{{le|密钥托管|Key escrow|托管}}恢复密钥：
* 仅[[可信平台模块|TPM]]<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376470(VS.85).aspx|title = ProtectKeyWithTPM method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-01|archive-url = https://web.archive.org/web/20081201120230/http://msdn.microsoft.com/en-us/library/aa376470(VS.85).aspx|dead-url = no}}</ref>
* [[可信平台模块|TPM]] + PIN<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376468(VS.85).aspx|title = ProtectKeyWithTPMAndPIN method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-01|archive-url = https://web.archive.org/web/20081201142018/http://msdn.microsoft.com/en-us/library/aa376468(VS.85).aspx|dead-url = no}}</ref>
* [[可信平台模块|TPM]] + PIN + USB密钥<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/bb931362(VS.85).aspx|title = ProtectKeyWithTPMAndPINAndStartupKey method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-02|archive-url = https://web.archive.org/web/20081202134805/http://msdn.microsoft.com/en-us/library/bb931362(VS.85).aspx|dead-url = no}}</ref>
* [[可信平台模块|TPM]] + USB密钥<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376469(VS.85).aspx|title = ProtectKeyWithTPMAndStartupKey method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-09-24|archive-url = https://web.archive.org/web/20080924145428/http://msdn.microsoft.com/en-us/library/aa376469(VS.85).aspx|dead-url = no}}</ref>
* USB密钥<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376466(VS.85).aspx|title = ProtectKeyWithExternalKey method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-26|archive-url = https://web.archive.org/web/20081226230958/http://msdn.microsoft.com/en-us/library/aa376466(VS.85).aspx|dead-url = no}}</ref>
* 仅口令<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376467(VS.85).aspx|title = ProtectKeyWithNumericalPassword method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-01|archive-url = https://web.archive.org/web/20081201144924/http://msdn.microsoft.com/en-us/library/aa376467(VS.85).aspx|dead-url = no}}</ref>