Enabling BitLocker on a System Without a TPM
If your PC doesn’t have a
TPM chip, you can still use BitLocker. In this case, you’ll need a USB
Flash drive, which is where BitLocker will store the startup key. You’ll
need to insert this USB Flash drive each time you start your computer
to decrypt the drive and work with your computer in the normal way.
First, you need to configure Windows 7 to allow BitLocker on a system without a TPM. Here’s how it’s done:
1. | Select Start, type gpedit.msc, and then press Enter to open the Local Group Policy Editor.
|
2. | Open
the Computer Configuration, Administrative Templates, Windows
Components, BitLocker Drive Encryption, Operating System Drive branch.
|
3. | Double-click the Require Additional Authentication at Startup policy.
|
4. | Select Enabled.
|
5. | Click to activate the Allow BitLocker Without a Compatible TPM check box, as shown in Figure 2.
|
6. | Click OK.
|
7. | To ensure that Windows 7 recognizes the new policy right away, select Start, type gpupdate /force, and press Enter.
|
Note
If your version of
Windows 7 doesn’t offer the Local Group Policy Editor, you can still
configure BitLocker to work on non-TPM systems by editing the Registry.
However, this requires creating and configuring a new Registry key and a
half dozen settings. To make this easier, I create a REG file that does
everything automatically. You can download this file from my website at
http://mcfedries.com/Windows7Unleashed/.
You can now enable BitLocker:
1. | Select Start, Control Panel, System and Security, BitLocker Drive Encryption to open the BitLocker Drive Encryption window.
|
2. | Click the Turn On BitLocker link beside your hard drive. The BitLocker Drive Encryption Wizard appears.
|
3. | Click Next. The wizard lets you know that it will use another drive or free space on the system drive to enable BitLocker.
|
4. | Click Next. The wizard prepares your hard drive and then prompts you to restart.
|
5. | Click Restart Now. Your computer restarts, and when you return to Windows, the wizard reappears.
|
6. | Click Next. The Set BitLocker Startup Preferences dialog box appears.
|
7. | Click Require a Startup Key at Every Startup, and then click Next.
|
8. | Insert the USB Flash drive you want to use to hold the Startup key.
|
9. | In
the list of drives, select your USB Flash drive, and then click Save.
The wizard now asks how you want to store your recovery key.
|
10. | Select one of the following options, and then click Next:
- Save the Recovery Key to a USB Flash Drive—
Click this option to save the recovery key to a Flash drive. This is
probably the best way to go because it means you can recover your files
just by inserting the Flash drive. Insert the Flash drive, select it in
the list that appears, and then click Save.
- Save the Recovery Key to a File—
Click this option to save the recovery key to a separate hard drive on
your system. Use the Save BitLocker Key As dialog box to choose a
location, and then click Save.
- Print the Recovery Key— Click this option to print out the recovery key. Choose your printer in the dialog box that appears, and then click Print.
|
11. | Click Continue. BitLocker tells you your system must be restarted.
|
12. | If
you chose to save you recovery key on a USB Flash drive, insert that
drive (if it’s not still inserted), and then click Restart Now.
|
When your computer restarts, BitLocker starts encrypting the drive, and you see the notification shown in Figure 3. You can click the message to watch the progress.