Adventures with Bitlocker and USB

By | 2017-12-01T11:30:09+00:00 March 4th, 2010|Windows|0 Comments

So you have laptop without a TPM and still want to use Bitlocker? Well you can still use Bitlocker and store the key on a USB key instead. this will give you a secure data encryption solution and will require you to insert a USB key when the machine boots or resumes from hibernation. This is not required when your machine goes to sleep or standby, so is primarily most useful when your laptop is stolen or someone is conducting an offline attack on your disk.

Funnily enough it would protect you from an attack directly on the TPM such as this, but you are still better with than without a TPM.

The steps on a Windows 7 machine are as follows:

Edit GPO

Edit your local Group Policy to enable Bitlocker with a USB key:

    Local Computer Policy>Administrative Templates>Windows Components>Bitlocker Drive Encryption>Operating System Drives>Require additional authentication at startup

image

image

then edit the policy to enable require boot authentication without a TPM using Bitlocker

 

image

 

And configure to store your key in Active Directory ( a good idea but optional)

 

 

image

 

image

Update GPO

Run Gpupdate to cause the policy to apply

image

Enable Bitlocker

Then Enable Bitlocker in Windows Explorer

     image

 

 

Now when I tried this on a USB key the other day i had an un pleasant surprise when I rebooted and my machine wouldn’t boot as it couldn’t find the Bitlocker key.

 

Turns out out my USB key had a freebie security application on it which made the key unreadable at boot time. Luckily i had enable the 48 bit recovery key and kept it somewhere safe, so I just reformatted the key and then used the manage BitLocker option to recreate the key:

 

image

 

image

Leave A Comment

like what you see? 

Sign-up to our newsletter and never miss out on the latest blogs, events and tech news from the world of risual
SUBSCRIBE!
Give it a try, you can unsubscribe anytime.