Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Bitlocker on Windows 8 laptop without TPM chip

Posted on 2013-12-23
3
Medium Priority
?
2,712 Views
Last Modified: 2013-12-24
With a Bitlocker encrypted drive on a Windows 8 laptop without a TPM chip, will the PC start with *either* a PIN or a USB flash drive, or does it require the PIN *and* the USB flash drive?

From my understanding after reading about it, the USB drive holds the encryption keys needed to access the data (which would be stored on the TPM chip if it was present), and the PIN is necessary to "unlock" those keys ready for use - is that correct?
0
Comment
Question by:RedLondon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39737820
The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
-PIN only
-TPM only
-TPM + PIN
-TPM + PIN + USB Key
-TPM + USB Key
-USB Key

pls also see this
@ http://blogs.technet.com/b/hugofe/archive/2010/10/29/bitlocker-without-tpm.aspx

The MSDN FAQ is useful info to clarify your doubt. I extract some relevant ones below.

In short,

a) for machine with TPM, Bitlocker can provide enhanced security whereby you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

b) for machine without (a compatible) TPM, BitLocker provides encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive. Noted the PIN is not applicable with USB key.

There is also the recovery key to be created and saved to a USB flash drive during BitLocker setup; it can also be managed and copied after BitLocker is enabled. If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer.

Note: Use of both the USB and PIN along with the TPM must be configured by using the Manage-bde command-line tool. This protection method cannot be specified by using the BitLocker setup wizard.

==MSDN FAQ for Bitlocker==
@ http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx


*Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

*Can I use BitLocker on an operating system drive without a TPM version 1.2?

Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.

To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

*Startup key

[....] The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive must be formatted by using the NTFS, FAT, or FAT32 file system.

You must have a startup key to use BitLocker on a non-TPM computer.

*Recovery password and recovery key

[....] A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device

PIN and enhanced PIN
For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation.
0
 
LVL 11

Author Closing Comment

by:RedLondon
ID: 39737832
Thank you
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39737871
Also understand that bitlocker encryption of the OS only protects you when the OS if off. Bitlocker-to-go for USB only protects the USB when it's not plugged in.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question