So, it's possible to unlock bitlocker with just TPM, TPM + USB, TPM + Pin, TPM + Pin + USB.
However, only one TPM-like protector can be added. So, if I add TPM + USB, TPM + Pin goes away. Same thing happens with manage-bde command manually; I can only add one and another one vanishes away.
I'm wondering if there's a method to keep them both?..
My motivation is that I would like to have a convenience method to unlock while I'm in a safe environment (i.e. at home); however, carrying it with me at all times and keeping it with a laptop is now an inconvenience I'd like to avoid.
Entering the Pin even at home is kinda an inconvenience as well.
Alternative working approaches include adding non-TPM protector, like:
- TPM + Pin, non-TPM USB key
- I would assume that the full decryption key is now stored in USB. This is a downgrade as TPM + USB would still require an attacker to bypass windows authentication
- TPM + USB, non-TPM password
- This is probably more in line with my original goal, although password would need to be more complex as there's no anti-bruteforce TPM in play.
- Edit: this is actually prohibited by windows. It doesn't allow to add password protector if any Tpm based protector is at play.
Thank you for any suggestions :)