Bitlocker without TPM:
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Hardware, firmware, and software requirements
To use BitLocker, a computer must satisfy certain requirements:
- For BitLocker to use the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable device such as a USB flash drive.
- A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS. The BIOS establishes a chain of trust for pre-operating system startup and must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require a TCG-compliant BIOS.
- The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. For more information about USB, see the USB Mass Storage Bulk-Only and the Mass Storage UFI Command specifications on the USB Web site (http://go.microsoft.com/fwlink/?LinkId=83120).
- The hard disk must be partitioned with at least two drives:
· The operating system drive (or boot drive) contains the operating system and its support files; it must be formatted with the NTFS file system.
· The system drive contains the files that are needed to load Windows after the BIOS has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the NTFS file system. The system drive should be at least 1.5 gigabytes (GBs).
Installation and initialization:
· By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options.
For enhanced security, you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.
On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM.
In this case, the user is required to create a startup key that is stored on a USB flash drive.
Hence without a Flash Drive, you cannot get even the recovery screen as Flash drive is mandatory to even get the screen to enter the key.
To enable BitLocker on a computer without a TPM, you must enable the Require additional authentication at setup Group Policy setting, which is located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.
You must select the Allow BitLocker without a compatible TPM check box. After this setting is applied to the local computer, the non-TPM settings appear in the BitLocker setup wizard.
Try to uncheck the option under gpedit, then reboot, then check again if you can use a usb flash as crypt key
I would suggest you to disable the settings and then re-apply it. Follow the directions in the link given below.
Step 1: What Group Policy settings are used with BitLocker?
Step 2: BitLocker Drive Encryption in Windows 7: Frequently Asked Questions
You may have to change few settings in Group Editor Policy on your computer in order to enable Bitlocker, follow the steps below:
1. Click on Start>> type in gpedit.msc in the Start Search.
2. Click on Computer Configuration>>click Administrative Templates>>click Windows Components>>click on Bitlocker Drive Configuration
3. Now right click on Control Panel: Enable advanced Startup Options and select Properties.
4. Put a check for “Allow Bitlocker without compatible TPM chip”.
Now reboot the computer and check if you are able to use
How To Use BitLocker on Drives without TPM
BitLocker is an encryption feature available in Ultimate and Enterprise versions of Windows 7 and Vista, but requires a Trusted Platform Module (TPM) on the system. Not all systems include TPM and today we take a look at how to bypass it so you can use BitLocker.
You can use BitLocker to encrypt an entire fixed drive, such as the local drive Windows is installed on or an internal data drive. For removable flash or external USB drives you can use its younger brother, BitLocker To Go. First let’s take a look at how to enable BitLocker on a local hard drive.
To encrypt an entire drive, simply right-click on the drive and select Turn on BitLocker from the context menu.
Next you’ll need to choose a secure password that will be used to access the drive.
You’re prompted to store the recovery key which is used in the event you lose your password or smartcard. If you store it as a file make sure that it’s not on the same drive that you’re encrypting.
Confirm you want the drive to be encrypted then wait until the process is complete. The amount of time it takes will vary based on the size and amount of data on the drive.
To access the encrypted drive you’ll need to enter in the password to unlock it.
The drive icon will change to show it’s encrypted with BitLocker, where the gold lock indicates it’s locked up and the gray lock is displayed after you have unlocked it.
Use BitLocker on a Drive Without TPM
If you have a drive that doesn’t have a compatible TMP then you’ll need to use the following steps and have a flash drive.
Enter in gpedit.msc in the search box of the Start menu and hit Enter.
Under Local Computer Policy navigate to:
Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker Drive Encryption \ Operating System Drives and double click on Require additional authentication at startup.
Enable the feature and check the box next to Allow BitLocker without a compatible TPM, click Apply and Ok, and close out of Local Group Policy Editor.
Go back to the hard drive you want to encrypt and turn on BitLocker.
A restart will be required to prepare the disk, and at this point make sure the flash drive is plugged in.
After the restart you’re prompted to use the startup key on the flash drive every time you start the computer.
Select the drive you want to use to store the key.
Hope this helps
Look forward to hearing from you.