Solved

BitLocker without TPM

Posted on 2014-02-08
22
1,207 Views
Last Modified: 2014-02-11
BitLocker Encryption OptionHi,
 I have Win7 Ultimate laptop that does not have TPM. So I ran Gpedit.msc to do the following:  Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker Drive Encryption \ Operating System Drives and double click on Require additional
authentication at startup.

Now when I turn on the Bit Locker on drive C, I get the message above with only one option "Require a Startup key at every startup".
Does this mean that the user has to stick a USB flash drive to his laptop EVERYTIME he turns it on?

Thanks.
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 4
  • +2
22 Comments
 
LVL 15

Accepted Solution

by:
ZabagaR earned 229 total points
ID: 39844405
Yes, that is correct. USB flash drive required at boot if no TPM AND you want the c:\ drive protected.

Great source for Bitlocker information: (not just video, but links on the right side)

http://technet.microsoft.com/en-us/windows/dd408739.aspx
0
 

Author Comment

by:sglee
ID: 39844422
I thought the whole idea is to protect your hard drive from being accessed freely when attached to another computer. I thought if you encrypt the hard drive, you can just turn it on and off without having to enter any key or having to keep a USB flash drive all the time ...
0
 
LVL 15

Assisted Solution

by:ZabagaR
ZabagaR earned 229 total points
ID: 39844495
In order to encrypt the boot drive, you need to store the key somewhere that is accessible BEFORE boot. The only was you cam do that is to either store it on the systems hardware itself (TPM) or an external source such as usb stick.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:sglee
ID: 39844500
(1) So if the computer comes with TPM option in BIOS, then we don't need external USB?
(2) Say I create a USB and keep it plugged into the laptop all the time. I guess that is what we need to do. But then if someone takes that USB or say you lost it, then you can't turn on the computer?
0
 
LVL 15

Assisted Solution

by:ZabagaR
ZabagaR earned 229 total points
ID: 39844558
Yes to (1) and (2) - you got it.

Bitlocker needs to store the encryption keys somewhere other than the hard disk. So choices are either on the TPM chip built into the machine or a usb flash drive.

When you set up bitlocker, you have the option to backup the keys and print out a 48-digit recovery password.

This is a good Q&A link:
http://technet.microsoft.com/library/ee449438.aspx#BKMK_NoTPM
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 76 total points
ID: 39844660
I have many articles, and this one seems fitting for your question:
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

TPM makes it "worse" than no-tpm. TPM binds that HDD to the motherboard until you remove the encryption. You have no hope to read that HDD outside of that motherboard until you reformat the drive (when using TPM).
You might want TrueCrypt instead.
-rich
0
 

Author Comment

by:sglee
ID: 39844829
@ZabagaR, @richrumble
Having gone thru the whole setup, I see the benefit of having built-in TPM because I won't need an external USB or having to type in 48 digit each time when you reboot the computer.
On the other hand, I can kind of see the benefit of not having TPM too, in case your OS is corrupted and you want to save the files and document out of that hard drive using another computer.

Well, I will just prepare to purchase small (1-4GB) USB flash drives for a number of PCs that I need to upgrade to Win 7 Ultimate.  I thought about TruCrypt too, but I decided to go with MS solutions for wide range of support including paid support if necessary instead of depending on "free of charge forum".

Thanks for your help and I don't have further questions.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39845281
BL main advantage is it's central management, if you need to roll out to a lot of people, that's where the benefit is. TC is what I recommend and have used for 10 years without issue. TPM is to thwart cold boot physical attacks and bootloader rootkits, which all seem like good ideas, but if your data doesn't justify that kind of effort you don't have to do it. The security provided by pgp//tc and others are good enough for personal use, BL is better for Corp.
-rich
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39845386
I've used both as well. Bitlocker can take advantage of active directory if you're using it. I'm not sure what your config is but it seemed like a 1 off encrypted laptop, as opposed to a laptop on a domain in an enterprise.....what rich said above!!
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39846690
Buy the smallest thumb drive and remember not to use that thumb drive for anything else.. whatever you do don't format that thumb drive after you have bitlocker enabled
0
 

Author Comment

by:sglee
ID: 39847079
If That them drive is lost, but the computer and hard drive are unchanged, then can I recreate the keys and store them on the new thumb drive? If yes, does it generate new keys or the same keys?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39847084
See this article: http://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx
You can't recover unless you have a copy of those keys, one key only, but it can be backed up.
-rich
0
 

Author Comment

by:sglee
ID: 39847096
There is no server system on this site, just individual several PCs.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39847104
You'll want to back up the keys that are on the flash drives yourself then.
-rich
0
 

Author Comment

by:sglee
ID: 39847382
If the user lost original usb flash drive (where I saved the keys when I enabled BitLocker) and nothing has changed on the computer and the hard drive, can I save the keys again on another USB flash drive?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39847657
Yep: http://windows.microsoft.com/en-gb/windows7/what-is-a-bitlocker-recovery-key
To copy your BitLocker recovery key

    Open Bitlocker Drive Encryption by clicking the Start button Picture of the Start button, clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption.¿

    Click Manage BitLocker, and then follow the instructions.
-rich
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39847766
If the user lost original usb flash drive (where I saved the keys when I enabled BitLocker) and nothing has changed on the computer and the hard drive, can I save the keys again on another USB flash drive?  Make as many copies of the recovery key as prudent.. If the machine is turned off and the usb key is lost then you have to enter the 25 character key.

Domain Joined machines the recovery key will be in Active Directory.  If you have a Microsoft Account associated with this machine then it will be in your skydrive folder
http://windows.microsoft.com/en-CA/windows-8/bitlocker-recovery-keys-faq
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39850556
It should be noted that the original question "Does this mean that the user has to stick a USB flash drive to his laptop EVERYTIME he turns it on?" should have been denied, because we have the option to setup a password from the command line (manage-bde -on c: -password). This is already possible with win7 but only on the command line while win8 has it in the GUI.
0
 

Author Comment

by:sglee
ID: 39851216
@McKnife
Are you saying that the user don't have to have USB flash drive connected to the computer  everytime the computer is turned on? In other words, we can store the password somewhere in the computer permanently; therefore I don't have to get a usb flash drive for each computer that I enable bitlocker?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39851239
No it cannot, as I linked before
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
TC however can use a recovery disk or the 20+ character password the user has to remember. You can also purchase YubiKey Standards to remember the password for the user. http://www.yubico.com/applications/disk-encryption/disk-encryption-truecrypt/
-rich
0
 

Author Comment

by:sglee
ID: 39851276
I see.
It is not a problem. If the USB flash drive is lost, then I would have a hard copy as well as my user. As long as we can turn on the computer with password/key, then I can re-create a new USB flash drive. Unfortunately they don't have "File Server".
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39851889
My remembrance has failed me. With win7 the -pw switch was present but invalid for the OS partition. This was indeed not possible before win8 came out. Sorry. It could only be used with non-OS partitionss.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question