Solved

Bitlocker on Windows 8 laptop without TPM chip

Posted on 2013-12-23
3
2,638 Views
Last Modified: 2013-12-24
With a Bitlocker encrypted drive on a Windows 8 laptop without a TPM chip, will the PC start with *either* a PIN or a USB flash drive, or does it require the PIN *and* the USB flash drive?

From my understanding after reading about it, the USB drive holds the encryption keys needed to access the data (which would be stored on the TPM chip if it was present), and the PIN is necessary to "unlock" those keys ready for use - is that correct?
0
Comment
Question by:RedLondon
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39737820
The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
-PIN only
-TPM only
-TPM + PIN
-TPM + PIN + USB Key
-TPM + USB Key
-USB Key

pls also see this
@ http://blogs.technet.com/b/hugofe/archive/2010/10/29/bitlocker-without-tpm.aspx

The MSDN FAQ is useful info to clarify your doubt. I extract some relevant ones below.

In short,

a) for machine with TPM, Bitlocker can provide enhanced security whereby you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

b) for machine without (a compatible) TPM, BitLocker provides encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive. Noted the PIN is not applicable with USB key.

There is also the recovery key to be created and saved to a USB flash drive during BitLocker setup; it can also be managed and copied after BitLocker is enabled. If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer.

Note: Use of both the USB and PIN along with the TPM must be configured by using the Manage-bde command-line tool. This protection method cannot be specified by using the BitLocker setup wizard.

==MSDN FAQ for Bitlocker==
@ http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx


*Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

*Can I use BitLocker on an operating system drive without a TPM version 1.2?

Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.

To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

*Startup key

[....] The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive must be formatted by using the NTFS, FAT, or FAT32 file system.

You must have a startup key to use BitLocker on a non-TPM computer.

*Recovery password and recovery key

[....] A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device

PIN and enhanced PIN
For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation.
0
 
LVL 11

Author Closing Comment

by:RedLondon
ID: 39737832
Thank you
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39737871
Also understand that bitlocker encryption of the OS only protects you when the OS if off. Bitlocker-to-go for USB only protects the USB when it's not plugged in.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Decrypt string by php 7 48
Networked print devices and roaming profile explanation. 1 32
Cannot install image with GHOST 4 26
Paging Files issue 11 12
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question