• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1444
  • Last Modified:

BitLocker without TPM

BitLocker Encryption OptionHi,
 I have Win7 Ultimate laptop that does not have TPM. So I ran Gpedit.msc to do the following:  Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker Drive Encryption \ Operating System Drives and double click on Require additional
authentication at startup.

Now when I turn on the Bit Locker on drive C, I get the message above with only one option "Require a Startup key at every startup".
Does this mean that the user has to stick a USB flash drive to his laptop EVERYTIME he turns it on?

Thanks.
0
sglee
Asked:
sglee
  • 8
  • 6
  • 4
  • +2
4 Solutions
 
ZabagaRCommented:
Yes, that is correct. USB flash drive required at boot if no TPM AND you want the c:\ drive protected.

Great source for Bitlocker information: (not just video, but links on the right side)

http://technet.microsoft.com/en-us/windows/dd408739.aspx
0
 
sgleeAuthor Commented:
I thought the whole idea is to protect your hard drive from being accessed freely when attached to another computer. I thought if you encrypt the hard drive, you can just turn it on and off without having to enter any key or having to keep a USB flash drive all the time ...
0
 
ZabagaRCommented:
In order to encrypt the boot drive, you need to store the key somewhere that is accessible BEFORE boot. The only was you cam do that is to either store it on the systems hardware itself (TPM) or an external source such as usb stick.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
sgleeAuthor Commented:
(1) So if the computer comes with TPM option in BIOS, then we don't need external USB?
(2) Say I create a USB and keep it plugged into the laptop all the time. I guess that is what we need to do. But then if someone takes that USB or say you lost it, then you can't turn on the computer?
0
 
ZabagaRCommented:
Yes to (1) and (2) - you got it.

Bitlocker needs to store the encryption keys somewhere other than the hard disk. So choices are either on the TPM chip built into the machine or a usb flash drive.

When you set up bitlocker, you have the option to backup the keys and print out a 48-digit recovery password.

This is a good Q&A link:
http://technet.microsoft.com/library/ee449438.aspx#BKMK_NoTPM
0
 
Rich RumbleSecurity SamuraiCommented:
I have many articles, and this one seems fitting for your question:
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

TPM makes it "worse" than no-tpm. TPM binds that HDD to the motherboard until you remove the encryption. You have no hope to read that HDD outside of that motherboard until you reformat the drive (when using TPM).
You might want TrueCrypt instead.
-rich
0
 
sgleeAuthor Commented:
@ZabagaR, @richrumble
Having gone thru the whole setup, I see the benefit of having built-in TPM because I won't need an external USB or having to type in 48 digit each time when you reboot the computer.
On the other hand, I can kind of see the benefit of not having TPM too, in case your OS is corrupted and you want to save the files and document out of that hard drive using another computer.

Well, I will just prepare to purchase small (1-4GB) USB flash drives for a number of PCs that I need to upgrade to Win 7 Ultimate.  I thought about TruCrypt too, but I decided to go with MS solutions for wide range of support including paid support if necessary instead of depending on "free of charge forum".

Thanks for your help and I don't have further questions.
0
 
Rich RumbleSecurity SamuraiCommented:
BL main advantage is it's central management, if you need to roll out to a lot of people, that's where the benefit is. TC is what I recommend and have used for 10 years without issue. TPM is to thwart cold boot physical attacks and bootloader rootkits, which all seem like good ideas, but if your data doesn't justify that kind of effort you don't have to do it. The security provided by pgp//tc and others are good enough for personal use, BL is better for Corp.
-rich
0
 
ZabagaRCommented:
I've used both as well. Bitlocker can take advantage of active directory if you're using it. I'm not sure what your config is but it seemed like a 1 off encrypted laptop, as opposed to a laptop on a domain in an enterprise.....what rich said above!!
0
 
David Johnson, CD, MVPOwnerCommented:
Buy the smallest thumb drive and remember not to use that thumb drive for anything else.. whatever you do don't format that thumb drive after you have bitlocker enabled
0
 
sgleeAuthor Commented:
If That them drive is lost, but the computer and hard drive are unchanged, then can I recreate the keys and store them on the new thumb drive? If yes, does it generate new keys or the same keys?
0
 
Rich RumbleSecurity SamuraiCommented:
See this article: http://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx
You can't recover unless you have a copy of those keys, one key only, but it can be backed up.
-rich
0
 
sgleeAuthor Commented:
There is no server system on this site, just individual several PCs.
0
 
Rich RumbleSecurity SamuraiCommented:
You'll want to back up the keys that are on the flash drives yourself then.
-rich
0
 
sgleeAuthor Commented:
If the user lost original usb flash drive (where I saved the keys when I enabled BitLocker) and nothing has changed on the computer and the hard drive, can I save the keys again on another USB flash drive?
0
 
Rich RumbleSecurity SamuraiCommented:
Yep: http://windows.microsoft.com/en-gb/windows7/what-is-a-bitlocker-recovery-key
To copy your BitLocker recovery key

    Open Bitlocker Drive Encryption by clicking the Start button Picture of the Start button, clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption.¿

    Click Manage BitLocker, and then follow the instructions.
-rich
0
 
David Johnson, CD, MVPOwnerCommented:
If the user lost original usb flash drive (where I saved the keys when I enabled BitLocker) and nothing has changed on the computer and the hard drive, can I save the keys again on another USB flash drive?  Make as many copies of the recovery key as prudent.. If the machine is turned off and the usb key is lost then you have to enter the 25 character key.

Domain Joined machines the recovery key will be in Active Directory.  If you have a Microsoft Account associated with this machine then it will be in your skydrive folder
http://windows.microsoft.com/en-CA/windows-8/bitlocker-recovery-keys-faq
0
 
McKnifeCommented:
It should be noted that the original question "Does this mean that the user has to stick a USB flash drive to his laptop EVERYTIME he turns it on?" should have been denied, because we have the option to setup a password from the command line (manage-bde -on c: -password). This is already possible with win7 but only on the command line while win8 has it in the GUI.
0
 
sgleeAuthor Commented:
@McKnife
Are you saying that the user don't have to have USB flash drive connected to the computer  everytime the computer is turned on? In other words, we can store the password somewhere in the computer permanently; therefore I don't have to get a usb flash drive for each computer that I enable bitlocker?
0
 
Rich RumbleSecurity SamuraiCommented:
No it cannot, as I linked before
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
TC however can use a recovery disk or the 20+ character password the user has to remember. You can also purchase YubiKey Standards to remember the password for the user. http://www.yubico.com/applications/disk-encryption/disk-encryption-truecrypt/
-rich
0
 
sgleeAuthor Commented:
I see.
It is not a problem. If the USB flash drive is lost, then I would have a hard copy as well as my user. As long as we can turn on the computer with password/key, then I can re-create a new USB flash drive. Unfortunately they don't have "File Server".
0
 
McKnifeCommented:
My remembrance has failed me. With win7 the -pw switch was present but invalid for the OS partition. This was indeed not possible before win8 came out. Sorry. It could only be used with non-OS partitionss.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 8
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now