Bitlocker: Hot Swap OS SSD, so I do NOT want to use TPM, just USB key and PIN

Question

To ensure data integrity and backup, I have a standalone PC at home (with TPM 1.2 installed) with my OS discs on hotswap, which I clone regularly with interval backups going back a few months. If I want to ensure that a stolen computer (or drive) cannot be used, I can employ Bitlocker. The problem is that if the removed SSD is then put in another computer to boot up, I'll have the repeated joy of typing in the extended recovery key. If I update my graphics card, I have similar joy. If I do a privacy sweep, I get the same joy.

The frequency of having to enter the recovery key has resulted in my simply not using Bitlocker. The ultimate security failure (like an alarm that always goes off... you just bash it to pieces and don't use it).

What I would like is to be able to have my SSD secured with Bitlocker and a USB stick instead of the TPM, and that wherever the disc and USB stick go, I merely type in my PIN and it will work, regardless of the motherboard, graphics card, etc. Is this possible?

Answer 1

The design of BitLocker is you should have TPM together with PIN or USB to enhance protection. However, there is an exception for devices without TPM and you may do it with the USB. Have a look at:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies
So, you may do the following steps:

1) Backup your data
2) Trun off the BitLocker on your device and make sure your device is unencrypted
3) Boot into UEFI/BIOS and disable TPM
4) Boot into Windows and enable BitLocker

Since TPM is disable, it should allow you to create encryption using USB drive. However, take a note that if you lose the USB or it damage, then you won't be able to boot into your system.

Answer 2

Hi JeffreyKatz-9147,

you can set up any USB flash drive as a “startup key” that must be present at boot before your computer can decrypt its drive and start Windows.

This effectively adds two-factor authentication to BitLocker encryption. Whenever you start your computer, you’ll need to provide the USB key before it will be decrypted. This would be particularly useful with a small USB drive you carry with you on a keychain.

Step One: Enable BitLocker (If You Haven’t Already)

Step Two: Enable the Startup Key in Group Policy Editor
Once you’ve enabled BitLocker, you’ll need to enable the startup key requirement in Windows’ group policy. To open the Group Policy Editor, press Windows+R on your keyboard, type “gpedit.msc” into the Run dialog, and press Enter.

Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.

Double-click the “Require Additional Authentication at startup” option in the right pane.

Select “Enabled” at the top of the window here. Then, click the box under “Configure TPM Startup Key” and select the “Require Startup Key With TPM” option. Click “OK” to save your changes.

Step Three: Configure a Startup Key for Your Drive
You can now use the manage-bde command to configure a USB drive for your BitLocker-encrypted drive.

First, insert a USB drive into your computer. Note the drive letter of the USB drive–D: in the screenshot below. Windows will save a small .bek file to the drive, and that’s how it will become your startup key.

Next, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: . You’ll also need to enter the drive letter of the connected USB drive you want to use as a startup key instead of x: .

manage-bde -protectors -add c: -TPMAndStartupKey x:

The key will be saved to the USB drive as a hidden file with the .bek file extension. You can see it if you show hidden files.

You’ll be asked to insert the USB drive the next time you boot your computer. Be careful with the key–someone that copies the key from your USB drive can use that copy to unlock your BitLocker-encrypted drive.

To double-check whether the TPMAndStartupKey protector was added properly, you can run the following command:

manage-bde -status
(The “Numerical Password” key protector displayed here is your recovery key.)

I hope this answers your question.

Thanks.

---

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

Reza, Limitless: Thank you both VERY MUCH for taking the time to respond, and so quickly. My apologies for having to wait until the weekend to respond.

@Reza-Ameri , I did as you instructed and disabled the TPM and it allowed me to implement Bitlocker with the password only. I did not try doing it with the USB stick.... yet.

@Limitless Technology , thank you also... I will follow your instructions for the USB key creation and will let you know how it goes this weekend. HOWEVER- One question before I go through your OUTSTANDING and detailed instructions: Will the end result be that I have a Bitlocker encrypted OS disc that requires the USB stick be present AND that a password be used, OR will it ONLY require the USB stick? Here's why I ask:

Goal: To have a USB stick (which is not dependent on a precise hardware configuration) functioning in place of a TPM (which will lock me out if I change a graphics card or hard drive), but that would still require a password.

Here's why: I've got a computer full of hot-swap bays (for cloning, and off-site backup storage). With TPM, I swap out a (non-OS) SSD, and now I can't boot to my Bitlocker C drive without the joy of typing a recovery key just because I did a hot-swap. However, if I have a USB stick instead of TPM as the hardware 'key', I can change my computer configuration all I want, and I just need that USB stick and password and the BitLocker OS C drive will boot. IF someone steals the computer, and IF they somehow guess my password, unless they went to another room to find my USB key (of which they probably will not be aware), they will be SOL. ALSO, IF someone steals the computer and I inadvertently (human, after all) left the USB key in it, they will now have to ALSO figure out a password. 2FA, so to speak.

@Limitless Technology : is what I'm proposing above possible with the instructions you provide. Again, they were excellent, but before I go through all that work I just wanted to check and see if the end result would achieve the above stated goal.

THANK YOU BOTH VERY MUCH