Solved

BitLocker without TPM

Posted on 2014-02-08
22
1,086 Views
Last Modified: 2014-02-11
BitLocker Encryption OptionHi,
 I have Win7 Ultimate laptop that does not have TPM. So I ran Gpedit.msc to do the following:  Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker Drive Encryption \ Operating System Drives and double click on Require additional
authentication at startup.

Now when I turn on the Bit Locker on drive C, I get the message above with only one option "Require a Startup key at every startup".
Does this mean that the user has to stick a USB flash drive to his laptop EVERYTIME he turns it on?

Thanks.
0
Comment
Question by:sglee
  • 8
  • 6
  • 4
  • +2
22 Comments
 
LVL 15

Accepted Solution

by:
ZabagaR earned 229 total points
ID: 39844405
Yes, that is correct. USB flash drive required at boot if no TPM AND you want the c:\ drive protected.

Great source for Bitlocker information: (not just video, but links on the right side)

http://technet.microsoft.com/en-us/windows/dd408739.aspx
0
 

Author Comment

by:sglee
ID: 39844422
I thought the whole idea is to protect your hard drive from being accessed freely when attached to another computer. I thought if you encrypt the hard drive, you can just turn it on and off without having to enter any key or having to keep a USB flash drive all the time ...
0
 
LVL 15

Assisted Solution

by:ZabagaR
ZabagaR earned 229 total points
ID: 39844495
In order to encrypt the boot drive, you need to store the key somewhere that is accessible BEFORE boot. The only was you cam do that is to either store it on the systems hardware itself (TPM) or an external source such as usb stick.
0
 

Author Comment

by:sglee
ID: 39844500
(1) So if the computer comes with TPM option in BIOS, then we don't need external USB?
(2) Say I create a USB and keep it plugged into the laptop all the time. I guess that is what we need to do. But then if someone takes that USB or say you lost it, then you can't turn on the computer?
0
 
LVL 15

Assisted Solution

by:ZabagaR
ZabagaR earned 229 total points
ID: 39844558
Yes to (1) and (2) - you got it.

Bitlocker needs to store the encryption keys somewhere other than the hard disk. So choices are either on the TPM chip built into the machine or a usb flash drive.

When you set up bitlocker, you have the option to backup the keys and print out a 48-digit recovery password.

This is a good Q&A link:
http://technet.microsoft.com/library/ee449438.aspx#BKMK_NoTPM
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 76 total points
ID: 39844660
I have many articles, and this one seems fitting for your question:
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

TPM makes it "worse" than no-tpm. TPM binds that HDD to the motherboard until you remove the encryption. You have no hope to read that HDD outside of that motherboard until you reformat the drive (when using TPM).
You might want TrueCrypt instead.
-rich
0
 

Author Comment

by:sglee
ID: 39844829
@ZabagaR, @richrumble
Having gone thru the whole setup, I see the benefit of having built-in TPM because I won't need an external USB or having to type in 48 digit each time when you reboot the computer.
On the other hand, I can kind of see the benefit of not having TPM too, in case your OS is corrupted and you want to save the files and document out of that hard drive using another computer.

Well, I will just prepare to purchase small (1-4GB) USB flash drives for a number of PCs that I need to upgrade to Win 7 Ultimate.  I thought about TruCrypt too, but I decided to go with MS solutions for wide range of support including paid support if necessary instead of depending on "free of charge forum".

Thanks for your help and I don't have further questions.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39845281
BL main advantage is it's central management, if you need to roll out to a lot of people, that's where the benefit is. TC is what I recommend and have used for 10 years without issue. TPM is to thwart cold boot physical attacks and bootloader rootkits, which all seem like good ideas, but if your data doesn't justify that kind of effort you don't have to do it. The security provided by pgp//tc and others are good enough for personal use, BL is better for Corp.
-rich
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39845386
I've used both as well. Bitlocker can take advantage of active directory if you're using it. I'm not sure what your config is but it seemed like a 1 off encrypted laptop, as opposed to a laptop on a domain in an enterprise.....what rich said above!!
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39846690
Buy the smallest thumb drive and remember not to use that thumb drive for anything else.. whatever you do don't format that thumb drive after you have bitlocker enabled
0
 

Author Comment

by:sglee
ID: 39847079
If That them drive is lost, but the computer and hard drive are unchanged, then can I recreate the keys and store them on the new thumb drive? If yes, does it generate new keys or the same keys?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39847084
See this article: http://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx
You can't recover unless you have a copy of those keys, one key only, but it can be backed up.
-rich
0
 

Author Comment

by:sglee
ID: 39847096
There is no server system on this site, just individual several PCs.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39847104
You'll want to back up the keys that are on the flash drives yourself then.
-rich
0
 

Author Comment

by:sglee
ID: 39847382
If the user lost original usb flash drive (where I saved the keys when I enabled BitLocker) and nothing has changed on the computer and the hard drive, can I save the keys again on another USB flash drive?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39847657
Yep: http://windows.microsoft.com/en-gb/windows7/what-is-a-bitlocker-recovery-key
To copy your BitLocker recovery key

    Open Bitlocker Drive Encryption by clicking the Start button Picture of the Start button, clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption.¿

    Click Manage BitLocker, and then follow the instructions.
-rich
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39847766
If the user lost original usb flash drive (where I saved the keys when I enabled BitLocker) and nothing has changed on the computer and the hard drive, can I save the keys again on another USB flash drive?  Make as many copies of the recovery key as prudent.. If the machine is turned off and the usb key is lost then you have to enter the 25 character key.

Domain Joined machines the recovery key will be in Active Directory.  If you have a Microsoft Account associated with this machine then it will be in your skydrive folder
http://windows.microsoft.com/en-CA/windows-8/bitlocker-recovery-keys-faq
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39850556
It should be noted that the original question "Does this mean that the user has to stick a USB flash drive to his laptop EVERYTIME he turns it on?" should have been denied, because we have the option to setup a password from the command line (manage-bde -on c: -password). This is already possible with win7 but only on the command line while win8 has it in the GUI.
0
 

Author Comment

by:sglee
ID: 39851216
@McKnife
Are you saying that the user don't have to have USB flash drive connected to the computer  everytime the computer is turned on? In other words, we can store the password somewhere in the computer permanently; therefore I don't have to get a usb flash drive for each computer that I enable bitlocker?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39851239
No it cannot, as I linked before
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
TC however can use a recovery disk or the 20+ character password the user has to remember. You can also purchase YubiKey Standards to remember the password for the user. http://www.yubico.com/applications/disk-encryption/disk-encryption-truecrypt/
-rich
0
 

Author Comment

by:sglee
ID: 39851276
I see.
It is not a problem. If the USB flash drive is lost, then I would have a hard copy as well as my user. As long as we can turn on the computer with password/key, then I can re-create a new USB flash drive. Unfortunately they don't have "File Server".
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39851889
My remembrance has failed me. With win7 the -pw switch was present but invalid for the OS partition. This was indeed not possible before win8 came out. Sorry. It could only be used with non-OS partitionss.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now