This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 19%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hey,
So, it's possible to unlock bitlocker with just TPM, TPM + USB, TPM + Pin, TPM + Pin + USB.
However, only one TPM-like protector can be added. So, if I add TPM + USB, TPM + Pin goes away. Same thing happens with manage-bde command manually; I can only add one and another one vanishes away.
I'm wondering if there's a method to keep them both?..
My motivation is that I would like to have a convenience method to unlock while I'm in a safe environment (i.e. at home); however, carrying it with me at all times and keeping it with a laptop is now an inconvenience I'd like to avoid.
Entering the Pin even at home is kinda an inconvenience as well.
Alternative working approaches include adding non-TPM protector, like:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
It's possible like this: in untrusted environments, use TPM+piN or tpm+USB+PIN. When at home, use the startup key (a second usb key). Its presence overrides the requests for other protectors.
It is possible, I found it after experimentation myself, yet it's by FAR the least secure/comfortable of the options. I'm more comfortable with 128 bit password stored in my head than on usb drive that's lying on the table.
Imagine you have a knowledgeable covert attacker in your supposedly safe environment. Startup key on usb allows them to bypass encryption altogether unbeknownst to you, by booting a separate os from the usb drive. They still don't have access to specialized hardware (so can't bypass post boot auth), and won't solder / reap hardware apart; but now can do a very easy to execute and very difficult to track attack.
Doing tpm + (usb or pin) makes it much more secure, and I fail to see why can't it be done (I haven't read the specs but will be surprised if tpm spec doesn't make it possible to add at least 3-5 protectors simultaneously).
Technically, pw + (usb and Tpm) should also be possible, yet likely disabled because of "security".
An even better way to do this would be to do / add an option to do what mac os does. On cold boot, they:
Not sure if I understand your concerns as I find it neither insecure nor inconvenient that way.
I am on the road and I have to type my TPM PIN.
I am at home and I may boot the stick either using the PIN, or, if I prefer to, by simply inserting the USB key that holds the startup key. As long as I can guard that key and keep it stored somewhere safe, I see no problem.
As long as I can guard that key and keep it stored somewhere safe, I see no problem.
Well, that is the problem, isn't it? If I can't just keep it in my laptop while it's at home / dock, then the whole point is lost, and I'd better enter the pin to begin with instead of searching for the key. Storing it in a secure way is also a nuisance. Maybe I have a child who'd be able to copy my passwords while I'm not at home. Or corrupt 3rd world country cops who know that I'm hypothetically a rich it person, and they'd get access to my unencrypted data. In pretty much every case I can imagine for myself, risk involved x simplicity of use is acceptable for usb + tpm yet is unacceptable for usb w/o tpm.