Originally Posted by ItsJustMe
If it boots up and allows its shares to be accessed without a password, what's the good of the encryption?
Just curous. I'm a long-time Truecrypt believer, and think anyone who has data that they care about stolen got what was coming to them for being lazy.
I'm also a long time TrueCrypt user as well. For servers, Bitlocker is engineered for security, but with different goals as TrueCrypt. TrueCrypt is to protect against well nigh everything that comes at it, including the guys with the rubber hose. BitLocker makes some security compromises in return for some data recovery features which are needed in corporate IT. For example, BitLocker asks one to print out and save the volume AES key so you can manually enter that, in case of emergency. Its assumed that the user will store the AES key info in a locked location. On Active Directory domains, BitLocker can also store recovery keys in the Active Directory schema, allowing IT staff access to a laptop that was used by a terminated employee, for example.
What the TPM chip does with a Bitlocker system is first scan the MBR and first boot sectors to check if it matches a valid hash. Then, and only then, does it pass the volume key to the booting machine which allows it to decrypt, boot, and go online. If someone pulls the hard disk or tries to modify the boot loader (to try to put a keylogger on for storing the volume key somewhere), the TPM will catch the modified code and refuse to pass the key, requiring the drive to be unlocked either by a keyfile (stored on a USB flash drive in a secure place), or a manually punched in set of characters.
The advantage for a server: Attacks are limited to the logon screen and from remote (things which TrueCrypt can't protect against anyway). Someone can't just boot up a Knoppix CD, and use a copy of Ophcrack to pull out passwords. Someone can physically steal the server, but they would still be stuck trying to guess passwords by hand at the winlogon screen.
Bitlocker serves most business needs. It will keep a server at a remote location able to boot and be usable by employees who are not authorized to have admin rights, but yet keep data stored on the system and other volumes encrypted, inaccessible unless someone manages to get admin rights to the machine. Bitlocker is highly secure, and does not have any security holes that TrueCrypt doesn't have, but Bitlocker is engineered for recoverability so IT people can regain access to encrypted volumes. TrueCrypt is engineered with security in mind, and the only real way to have IT people recover an encrypted volume with a lost passphrase is for them (the IT staff) to have saved a header backup with a known passphrase beforehand.
If you want a passphase for booting, all TPM chips can have one enabled where if someone typos the passphrase wrong more than 5 times, the TPM will lock, and the drive contents will be inaccessible (until you manually unlock the drive with its main key).
I would recommend looking at the BitLocker wiki and MS's article (http://tinyurl.com/3y9frd
) for further tech details.
To sum up: Bitlocker is akin to a pair of pliers, and TrueCrypt is akin to a pair of needle nose pliers. Both serve similar purposes, but they address needs for totally different people.