If you read our other article about getting a compatible TPM module for a Gigabyte Motherboard, then you may have wondered what all the fuss was about? Or you just might want to use BitLocker as you already have a TPM capable machine.
Well, the simple ethos of TechBobbins is that if something is capable of doing a thing, it should be made to do that thing! (it has a TPM header, it must be filled with a TPM module). Now it has TPM, so it can run BitLocker in secure mode. So it must run BitLocker in secure mode!
Note that as this was experimenting with practically no use of the internet/help files, this is list of what occured - which is (in hindsight) probably the wrong way around. It's quite possible the group policy bits should be done FIRST, but in this example they weren't - and it's working, so....
Note: This article was written for Windows 7 Ultimate, and Windows 10 may differ slightly - however Windows 10 will ask if you'd like to save your BitLocker encryption keys to the Cloud. We suggest you decline this kind offer and backup your keys elsewhere!
Obviously you have to have a system that is:
Capable of running BitLocker (i.e. running Windows 7 Ultimate or Windows 10 Professional)
Fitted with a TPM module (that has been enabled in BIOS, initialized and "owned")
NOTE: TechBobbins strongly recommends you source a module which supports TPM specification 1.2 as a minimum!
Running a BIOS capable of booting from USB
Fitted with a a hard drive to encrypt, with the O/S installed, booted and working.
Backed up! If this doesn't work for you, or you break something - it's not our fault!
Enable BitLocker - Click Start, type in bitlocker and click on BitLocker Drive Encryption
Click your C: drive
Click "Turn On BitLocker"
Let your system do it's thing (which will include reboots)
When prompted, save (backup) the recovery keys to a USB stick. Also, save them to another file somewhere else you know won't be encrypted (network disk that you know you can access later if needed, but that is secure), and print them out (and put the printouts somewhere secure).
Your boot drive recovery keys are vital - lose them, your system is toast.
Then reboot, and all is normal - you won't yet notice a thing.
Now open up an administrative command prompt and run:
manage-bde -protectors -get c:
That will list three keys, which should list three keys (Numerical, External and TPM).
Now put a different USB key in, and run:
manage-bde -protectors -add c: -TPMAndStartupKey X:
Replace X: with the drive letter of the USB key.
That will have added a new ID for "TPM with startup key" and put it on the USB drive, which is now your startup token - but your system is still set not to use it.
You can validate it's there by running the "get" command again - but now your C: drive has four keys/ways to start/unlock - although none are enabled - yet.
Then, using Group Policy, go to :
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Double click the "Require additional authentication at startup" setting.
Switch the setting to "Enabled" (all the lower options will enable).
Disable (uncheck) "Allow BitLocker without a compatible TPM" - this obviously means you have to have a TPM module installed...if you don't, you can leave this checked and continue using BitLocker, although your system will not be as secure as possible).
Then, change the other dropdown to the following settings:
Configure TPM startup : Do not allow TPM
Configure TPM startup PIN : Do not allow startup PIN with TPM
Configure TPM startup key : Require startup key with TPM
Configure TPM startup key and PIN : Do not allow startup key and PIN with TPM
The underlined one is the important one! Also, if you look at each dropdown you will see they have three options - Allow, Require and "Do Not Allow". Allow means you could use the option, or not. "Do Not Allow" means you cannot use it, and Require means you must use it. The above means the system will only allow the system to boot with a startup key and a TPM module.
Click "Apply", remove the USB drive and reboot.
Before the "Starting Windows" screen appears, you should now get a nice DOS-esque window telling you you need a startup key, or to enter recovery mode. Put the USB startup key in, press ESC and the machine will reboot, and this time, start as normal.
The next thing to do is remove the keys you don't need. Run :
manage-bde -protectors -get c:
Note the ID strings for each key (including the {} curly brackets). Then run:
manage-bde -protectors -delete C: -id {KEY ID HERE INCLUDING CURLY BRACKETS}
Do this ONLY for the External Key and the TPM (only) key.
This should leave you with the Numerical Password and the "TPM And Startup Key", and you should see something like this (our IDs removed).
C:\Windows\system32>manage-bde -protectors -get c:
BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: [System]
All Key Protectors
Numerical Password:
ID: {REDACTED}
Password:
REDACTED
TPM And Startup Key:
ID: {REDACTED}
External Key File Name:
REDACTED.BEK
This means you can now only unlock C: (i.e. boot) with the recovery key (numerical ID, which you printed out earlier) AND the USB drive. At this point however, only your boot disk is secure - any data on other partitions/disks could still be read if removed from the computer - so now you can encrypt any other partitions/disks you have - but when you do so, set them to automatically unlock. Also, save/print their unlock keys (NOT to your startup USB key!).
Once you've encrypted a new disk, there is one more step to take.
Again, run
manage-bde -protectors -get Y:
Where Y: is the newly encrypted drive.
You will see a new type of key, called with "Automatic Unlock Enabled" under it. It will look like this :
External Key:
ID: {REDACTED}
External Key File Name:
REDACTED.BEK
Automatic unlock enabled.
Remove ALL other keys for that drive except the Numeric Password and the key ID which states it's the automatic unlock one. (i.e. remove TPM and External Key (no automatic unlock))
This drive does not need a startup key, as it's not the boot disk. The unlock key for this drive is put in your registry, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FVEAutoUnlock and if you try to access that registry key (even as an administrator) Windows won't let you. Don't worry about that key being in the registry though, as the Registry is on your boot disk, and that's already encrypted - so it's only accessible by you. When the boot disk is unlocked at startup, Windows will access that key and unlock your other disks automatically.
If you want to use TPM + Key + PIN, change the methods above to use TPM + Key + Pin instead of just TPM + Key. When you tell manage-bde to use a PIN, it will ask you for one - just make sure you remember it! (or keep your recovery keys available!)
Keep your recovery keys (USB and print versions) safe and away from your computer.
Keep your recovery keys and startup key(s) on separate USB drives - they shouldn't be mixed!
Duplicate your startup key - in case you lose it, or have multiple users of the same computer
NOTE: You cannot just "copy" the startup key file (.BEK extension) from one USB drive to another.
You must do the following :
Open Explorer
Right click the C: drive
Select "Manage Bitlocker"
Select "Duplicate Startup Key"
This is because Windows checks the physical ID of the USB key, to check someone hasn't just got hold of your drive and swiped the file.
Obviously, don't lose your USB fob, or your print out recovery keys!
Now, all the data on your encrypted drives is not only encrypted, it cannot be accessed without your startup key, and even if the drives were removed from your computer, they cannot be accessed as the TPM module would not be present.
You may however realise that your USB stick can be removed, and the files on it copied. To this end you could enable Configure TPM startup key and PIN rather than just Configure TPM startup key - which will allow you to set an additional PIN you must enter, as well as connecting your USB stick. Alternately, we think that an externally encrypted USB stick, such as the Corsair Flash Padlock or Lok-IT Secure Flash Drive (we use the latter) covers both options - as it is a physical USB drive which requires entry of a PIN onto the stick itself, before inserting into your PC - that way your USB key cannot just be found and inserted/copied. Or, you could combine all three, but that's possibly just overkill!
You can also enhance your TPM security by setting BitLocker to validate your computer's physical setup. Within Group Policy, these settings are found at
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Configure TPM platform validation profile
Configuring the items in that menu can protect (alert) you if someone has tampered with the BIOS, disks or computer in anyway, and that is covered in our BitLocker Plus article :)
If this helped you, please let us know!