So you have laptop without a TPM and still want to use Bitlocker? Well you can still use Bitlocker and store the key on a USB key instead. this will give you a secure data encryption solution and will require you to insert a USB key when the machine boots or resumes from hibernation. This is not required when your machine goes to sleep or standby, so is primarily most useful when your laptop is stolen or someone is conducting an offline attack on your disk.
Funnily enough it would protect you from an attack directly on the TPM such as this, but you are still better with than without a TPM.
The steps on a Windows 7 machine are as follows:
Edit your local Group Policy to enable Bitlocker with a USB key:
- Local Computer Policy>Administrative Templates>Windows Components>Bitlocker Drive Encryption>Operating System Drives>Require additional authentication at startup
then edit the policy to enable require boot authentication without a TPM using Bitlocker
And configure to store your key in Active Directory ( a good idea but optional)
Run Gpupdate to cause the policy to apply
Then Enable Bitlocker in Windows Explorer
Now when I tried this on a USB key the other day i had an un pleasant surprise when I rebooted and my machine wouldn’t boot as it couldn’t find the Bitlocker key.
Turns out out my USB key had a freebie security application on it which made the key unreadable at boot time. Luckily i had enable the 48 bit recovery key and kept it somewhere safe, so I just reformatted the key and then used the manage BitLocker option to recreate the key: