Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2736
  • Last Modified:

Bitlocker on Windows 8 laptop without TPM chip

With a Bitlocker encrypted drive on a Windows 8 laptop without a TPM chip, will the PC start with *either* a PIN or a USB flash drive, or does it require the PIN *and* the USB flash drive?

From my understanding after reading about it, the USB drive holds the encryption keys needed to access the data (which would be stored on the TPM chip if it was present), and the PIN is necessary to "unlock" those keys ready for use - is that correct?
0
RedLondon
Asked:
RedLondon
1 Solution
 
btanExec ConsultantCommented:
The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
-PIN only
-TPM only
-TPM + PIN
-TPM + PIN + USB Key
-TPM + USB Key
-USB Key

pls also see this
@ http://blogs.technet.com/b/hugofe/archive/2010/10/29/bitlocker-without-tpm.aspx

The MSDN FAQ is useful info to clarify your doubt. I extract some relevant ones below.

In short,

a) for machine with TPM, Bitlocker can provide enhanced security whereby you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

b) for machine without (a compatible) TPM, BitLocker provides encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive. Noted the PIN is not applicable with USB key.

There is also the recovery key to be created and saved to a USB flash drive during BitLocker setup; it can also be managed and copied after BitLocker is enabled. If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer.

Note: Use of both the USB and PIN along with the TPM must be configured by using the Manage-bde command-line tool. This protection method cannot be specified by using the BitLocker setup wizard.

==MSDN FAQ for Bitlocker==
@ http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx


*Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

*Can I use BitLocker on an operating system drive without a TPM version 1.2?

Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.

To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

*Startup key

[....] The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive must be formatted by using the NTFS, FAT, or FAT32 file system.

You must have a startup key to use BitLocker on a non-TPM computer.

*Recovery password and recovery key

[....] A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device

PIN and enhanced PIN
For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation.
0
 
RedLondonAuthor Commented:
Thank you
0
 
Rich RumbleSecurity SamuraiCommented:
Also understand that bitlocker encryption of the OS only protects you when the OS if off. Bitlocker-to-go for USB only protects the USB when it's not plugged in.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now