Does the TPM affect performance of Windows BitLocker?
The TPM is not used during normal encrypted data access operations.
BitLocker doesn't use the TPM to store the key used to perform the on-the-fly decrypt/encrypt operations that protect data on a BitLocker-encrypted volume. It's a little complicated, but here is a brief explanation of how the relevant keys are used:
- Data written to a BitLocker-protected volume is encrypted with a full-volume encryption key (FVEK). This key does not change until BitLocker is completely removed from a volume.
- The FVEK is encrypted with the volume master key (VMK) then stored (in its encrypted form) in the volume's metadata.
- The VMK in turn is encrypted with one or more protectors, such as a TPM or Recovery key.
You can combine the TPM with a numeric PIN or with a partial key stored on a USB drive for increased security. Each of these is a form of two-factor authentication. If your computer does not have a compatible TPM chip and BIOS, BitLocker can be configured to store a key protector completely on a USB drive. This is called a startup key. BitLocker can be disabled without decrypting the data; in this case, the VMK is protected only by a new key protector that is stored unencrypted. Note that this clear key allows the system to access the drive as if it were unprotected.
The following picture displays the reverse process happening when user authenticates with BitLocker (note that authentication usually mean hardware attestation from the TPM)
It's clear that the TPM's role is to simply "store" an encrypted copy of the VMK, which in turn is used to decrypt the FVEK. It's the FVEK that's used in the actual encryption/decryption process used when data is accessed on the disk.
More information about this process can be found on TechNet.