TPM diagram implies that key storage and encryption/decryption engine should be part of
module. So, why is there no full disk encryption product, which uses this feature? E.g.:
why is there no FDE software, not vulnerable to cold boot attacks?
If you want your key not to be present outside the TPM, your TPM would have to do all the encryption. That's not feasible because the TPM lacks the following:
symmetric encryption
The TPM itself can't perform a symmetric encryption like AES on external provided data.
performance
Even if it would be capable of the encryption, the chip's performance wouldn't meet
requirements for a FDE. A TPM is designed to be very very lowcost. Performance is no
design goal.
bandwith
A TPM in a PC system is connected via LPC Bus which can transfer 6.67 MB/s
at most. (no full duplex either)
So the TPM is not designed to perform FDE.
The solution is to let the HDD itself do the encryption. If you want to go that way, you should look into the TCG's data storage working group. Their solution is based on Self Encrypting Drives (SED) which store their keys in the TPM. Therefor the key should never be visible in the system's RAM and only for a short time on the system's bus.
So there is a solution for FDE, but it requires special hardware (= the SEDs).
The native Self Encrypting Drive function is always on. This means that the data on the ssd is always encrypted, however by default it has no password set. It has an internal hash which is accessed using the BIOS password you give when booting up. The motherboard needs to have HDD BIOS lock option for you to enter the password, which most older desktop motherboards don't have, but most laptops (even older ones) have.
RAID function is problematic, wasn't too long ago when Intel made available TRIM passthrough for RAID 1, and more recently RAID 0. Basically eDrive technology would have to be implemented in Intel drivers too, and this is probably very tricky when going for RAID 0. While I'm not that knowledgeable on the subject, it would appear near impossible as with the current implementation.
Windows software RAID 0 is another possibility, and this enables the hard drives to be in AHCI mode allowing passthrough of edrive commands. However I'm not aware of hardware level bitlocker support in software raid mode. You'll have to try it out. Generally speaking speed difference between this type of "hardware" raid and software is negligible. True server-quality RAID implementations is another matter.
In short, use BIOS HD password (usually named this way despite using UEFI, aka ATA-password) if you wish to use Intel RAID, but you will miss out on eDrive. If you want eDrive, try out software raid which may or may not work.
Also, assuming that there is no clear "HD PASSWORD" type of setting in the UEFI BIOS, and BIOS level HD-passwording is not documented, you may want to try placing a general start-up password and extracting the disk and testing it on another computer or using an external USB-enclosure. It should not boot up nor register in windows if it has a password lock, ie. it appears to be dead. Secure boot function does not affect user passwords, but is rather a communication layer between the hardware and OS and as such does not affect this problem.
Best Answer
Yes it is. SRT is a software technology and any drive can work with it.
eDrive has to be built into the drive itself.
there is no overlap between these 2 technology.