Solved

Bitlocker on Windows 8 laptop without TPM chip

Posted on 2013-12-23
3
2,591 Views
Last Modified: 2013-12-24
With a Bitlocker encrypted drive on a Windows 8 laptop without a TPM chip, will the PC start with *either* a PIN or a USB flash drive, or does it require the PIN *and* the USB flash drive?

From my understanding after reading about it, the USB drive holds the encryption keys needed to access the data (which would be stored on the TPM chip if it was present), and the PIN is necessary to "unlock" those keys ready for use - is that correct?
0
Comment
Question by:RedLondon
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39737820
The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
-PIN only
-TPM only
-TPM + PIN
-TPM + PIN + USB Key
-TPM + USB Key
-USB Key

pls also see this
@ http://blogs.technet.com/b/hugofe/archive/2010/10/29/bitlocker-without-tpm.aspx

The MSDN FAQ is useful info to clarify your doubt. I extract some relevant ones below.

In short,

a) for machine with TPM, Bitlocker can provide enhanced security whereby you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

b) for machine without (a compatible) TPM, BitLocker provides encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive. Noted the PIN is not applicable with USB key.

There is also the recovery key to be created and saved to a USB flash drive during BitLocker setup; it can also be managed and copied after BitLocker is enabled. If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer.

Note: Use of both the USB and PIN along with the TPM must be configured by using the Manage-bde command-line tool. This protection method cannot be specified by using the BitLocker setup wizard.

==MSDN FAQ for Bitlocker==
@ http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx


*Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

*Can I use BitLocker on an operating system drive without a TPM version 1.2?

Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.

To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

*Startup key

[....] The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive must be formatted by using the NTFS, FAT, or FAT32 file system.

You must have a startup key to use BitLocker on a non-TPM computer.

*Recovery password and recovery key

[....] A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device

PIN and enhanced PIN
For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation.
0
 
LVL 11

Author Closing Comment

by:RedLondon
ID: 39737832
Thank you
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39737871
Also understand that bitlocker encryption of the OS only protects you when the OS if off. Bitlocker-to-go for USB only protects the USB when it's not plugged in.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The goal of this Micro Tutorial is to help navigate beginning users with the app store on Windows 8. It will explain exciting features how to maximize your PC through these apps. This will be demonstrated using Windows 8 operating system.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now