Enabling BitLocker Drive Encryption when TPM Is Not Available
If TPM hardware is not
available on the system, BitLocker must be configured to leverage a USB
key at startup. The following example configures a local group policy
for the Group Policy Object titled “Enabling Advanced Startup Options:
Control Panel Setup.”
1. | Click Start, Run, and then type gpedit.msc. Click OK and the Local Group Policy Object Editor is invoked.
|
2. | In
the Local Group Policy Object Editor, expand Local Computer Policy,
Computer Configuration, Administrative Templates, Windows Components,
BitLocker Drive Encryption, and then select Operating System Drives.
|
3. | In the right pane, double-click Require Additional Authentication at Startup.
|
4. | Enable the BitLocker Group Policy settings by selecting the Enabled option, and then click OK, as displayed in Figure 4.
|
5. | Apply the new Group Policy settings by typing gpupdate.exe /force at the command prompt.
|
BitLocker Drive Encryption utilizing a USB device can now be configured by completing the following steps:
1. | Click Start, Control Panel, and double-click BitLocker Drive Encryption.
|
2. | Enable BitLocker Drive Encryption by clicking Turn On BitLocker on the BitLocker Drive Encryption page.
|
3. | Review
the message on the BitLocker Drive Encryption Platform Check page, and
then click Continue with BitLocker Drive Encryption to start the
BitLocker process.
|
4. | If necessary, the installation will prepare the system for BitLocker, then click Next.
|
5. | Because
a TPM does not exist in this example, select the option Require a
Startup USB Key at Every Startup, and then click Next. This option can
be found on the Set BitLocker Startup Preferences page.
|
6. | Ensure
a USB memory device has been inserted into the system. Then on the Save
Your Startup Key page, specify the removable drive to which the startup
key will be saved, and then click Save.
|
7. | The
Save the Recovery Password page is then invoked. The administrator has
the ability to save the BitLocker recovery password on a USB drive or to
a folder on the system. In addition, the third option allows for
printing of the password. Choose the desired storage alternative for
saving the recovery password, and then click Next to continue.
Note
It is a best practice
to make additional copies of the recovery password and store them in a
secure location like a vault. For maximum security, the recovery
password should not be stored on the local system nor should the
password be printed on paper. In addition, do not store the recovery
password and the startup key on the same media.
|
8. | On
the Encrypt the Volume page, ensure the Run BitLocker System Check
option is enabled, and then click Continue. The system check guarantees
BitLocker can access and read the recovery and encryption keys before
encrypting the volume.
Note
Do not bypass the option to
run a system check before encrypting the volume. Data loss can occur if
there is an error reading the encryption or recovery key.
|
9. | Insert
the USB memory device containing the startup key into the system, and
then click Restart Now. The Encryption in Progress status bar is
displayed showing the completion status of the disk volume encryption.
|
Note
The USB device must be
plugged in to the system every time the system starts to boot and gain
access to the encrypted volume. If the USB device containing the startup
key is lost or damaged, you must use the Recovery mode and provide the
recovery key to start the system.