Bitlocker without TPM:

Bitlocker without TPM:

  • Comments 3
  • Likes

Bitlocker without TPM:

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.

1:

Hardware, firmware, and software requirements

To use BitLocker, a computer must satisfy certain requirements:

  • For BitLocker to use the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable device such as a USB flash drive.
  • A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS. The BIOS establishes a chain of trust for pre-operating system startup and must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require a TCG-compliant BIOS.
  • The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. For more information about USB, see the USB Mass Storage Bulk-Only and the Mass Storage UFI Command specifications on the USB Web site (http://go.microsoft.com/fwlink/?LinkId=83120).
  • The hard disk must be partitioned with at least two drives:

· The operating system drive (or boot drive) contains the operating system and its support files; it must be formatted with the NTFS file system.

· The system drive contains the files that are needed to load Windows after the BIOS has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the NTFS file system. The system drive should be at least 1.5 gigabytes (GBs).

2:

Installation and initialization:

· By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options.

For enhanced security, you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM.

In this case, the user is required to create a startup key that is stored on a USB flash drive.

Hence without a Flash Drive, you cannot get even the recovery screen as Flash drive is mandatory to even get the screen to enter the key.

To enable BitLocker on a computer without a TPM, you must enable the Require additional authentication at setup Group Policy setting, which is located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

You must select the Allow BitLocker without a compatible TPM check box. After this setting is applied to the local computer, the non-TPM settings appear in the BitLocker setup wizard.

Try  to uncheck the option under gpedit, then reboot, then check again if you can  use a usb flash as crypt key

I would suggest you to disable the settings and then re-apply it. Follow the directions in the link given below.

Step 1: What Group Policy settings are used with BitLocker?

http://windows.microsoft.com/en-US/windows7/What-Group-Policy-settings-are-used-with-BitLocker

Step 2: BitLocker Drive Encryption in Windows 7: Frequently Asked Questions

http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_HSRequirements

You may have to change few settings in Group Editor Policy on your computer in order to enable Bitlocker, follow the steps below:

1.      Click on Start>> type in gpedit.msc in the Start Search.

2.      Click on Computer Configuration>>click Administrative Templates>>click Windows Components>>click on Bitlocker Drive Configuration

3.      Now right click on Control Panel: Enable advanced Startup Options and select Properties.

4.      Put a check for “Allow Bitlocker without compatible TPM chip”.

Now reboot the computer and check if you are able to use

3:

How To Use BitLocker on Drives without TPM

BitLocker is an encryption feature available in Ultimate and Enterprise versions of Windows 7 and Vista, but requires a Trusted Platform Module (TPM) on the system. Not all systems include TPM and today we take a look at how to bypass it so you can use BitLocker.

Enable BitLocker

You can use BitLocker to encrypt an entire fixed drive, such as the local drive Windows is installed on or an internal data drive. For removable flash or external USB drives you can use its younger brother, BitLocker To Go. First let’s take a look at how to enable BitLocker on a local hard drive.

To encrypt an entire drive, simply right-click on the drive and select Turn on BitLocker from the context menu.

clip_image002

Next you’ll need to choose a secure password that will be used to access the drive.

clip_image004

You’re prompted to store the recovery key which is used in the event you lose your password or smartcard. If you store it as a file make sure that it’s not on the same drive that you’re encrypting.

clip_image006

Confirm you want the drive to be encrypted then wait until the process is complete. The amount of time it takes will vary based on the size and amount of data on the drive.

clip_image008

To access the encrypted drive you’ll need to enter in the password to unlock it.

clip_image010

The drive icon will change to show it’s encrypted with BitLocker, where the gold lock indicates it’s locked up and the gray lock is displayed after you have unlocked it.

clip_image012clip_image014

Use BitLocker on a Drive Without TPM

If you have a drive that doesn’t have a compatible TMP then you’ll need to use the following steps and have a flash drive.

clip_image016

Enter in gpedit.msc in the search box of the Start menu and hit Enter.

clip_image018

Under Local Computer Policy navigate to:

Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker Drive Encryption \ Operating System Drives and double click on Require additional authentication at startup.

clip_image020

Enable the feature and check the box next to Allow BitLocker without a compatible TPM, click Apply and Ok, and close out of Local Group Policy Editor.

clip_image022

Go back to the hard drive you want to encrypt and turn on BitLocker.

A restart will be required to prepare the disk, and at this point make sure the flash drive is plugged in.

clip_image024

After the restart you’re prompted to use the startup key on the flash drive every time you start the computer.

clip_image026

Select the drive you want to use to store the key.

clip_image028

Hope this helps

Look forward to hearing from you.

Hugofe

Comments
  • The help for the "require additional authentication at startup" indicates that it is possible to use a USB startupkey and a PIN together, by using manage-bde from the command line.  I can't find documentation on how to use both the startupkey and pin at the same time.  Is this an error in the help, or is this possible and just not well documented?

  • I get this error after reboot

    BitLocker could not be enabled

    The BitLocker startup key or recovery password cannot be found un the USB device.

    i can access the usb and usb is enabled in bios on start up.

  • I don't have this on Windows 8 Pro

    3.      Now right click on Control Panel: Enable advanced Startup Options and select Properties.

    Nothing remotely similar.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment