Using BitLocker Without a Trusted Platform Module
Protect your data, even in the absence of a TPM security chip
November 19, 2010
Microsoft introduced BitLocker Drive Encryption (BDE), or BitLocker, in Windows Server 2008 and Windows Vista. BitLocker offers volume-level data encryption for data stored on Windows clients and servers and protects the data when systems are offline (i.e., when the OS is shut down). BitLocker can prevent data breaches such as the theft of confidential corporate data on employee laptop computers. In previous Windows versions this protection wasn't possible without a third-party product.
BitLocker can also offer an integrity-checking mechanism that makes the OS itself more resilient in the face of attacks. When BitLocker is applied to the system volume, it can provide a file-integrity checking feature that automatically assesses the status of boot files such as the BIOS, Master Boot Records (MBRs), and the NTFS boot sector when the system boots and before the OS starts. If a hacker inserts malicious code into one of the boot files or modifies one of the files, BitLocker will detect it and block the OS from starting.
The first version of BitLocker had some shortcomings that Microsoft addressed in the newer OS releases. In the initial release, only a single volume—the OS drive—could be BitLocker protected. In Server 2008 and Vista SP1, Microsoft added support for BitLocker protection of different volumes, including local data volumes. In Server 2008 R2 and Windows 7, Microsoft added BitLocker support for removable data drives (e.g., memory sticks, external data drives). This feature is called BitLocker To Go. For an overview of the disk configurations that BitLocker supports, see Microsoft’s “BitLocker Drive Encryption in Windows 7: Frequently Asked Questions.” Server 2008 R2 and Windows 7 also come with an extended set of BitLocker Group Policy Object (GPO) configuration settings, including a new data recovery agent feature that allows centralized recovery of the BitLocker-protected data in an Active Directory (AD) forest.
In this article I explain how you can leverage BitLocker without using a Trusted Platform Module (TPM). A TPM is a special security chip that’s built in to most of today’s PC motherboards. Using BitLocker with a TPM adds security value, but it also adds setup and management complexity and overhead. In addition, many organizations still have older computers that don't have TPMs. You can’t add a TPM to a computer; it’s either part of the system’s design, or it isn’t.
Fortunately, Microsoft included several configuration options in BitLocker that make it usable on systems that don't have a TPM. I’ll walk you through the steps to get BitLocker up and running on a computer that doesn't have a TPM, I’ll explain which tools you need instead, and I’ll cover best practices you can follow.
Protecting the OS Drive Without a TPM
BitLocker is available in all Server 2008 R2 and Server 2008 editions (except the Itanium edition); Windows 7 Ultimate and Enterprise; and Vista. On Windows 7 and Vista the BitLocker logic is installed as part of the OS installation process. On Server 2008 R2 and Server 2008, BitLocker is an optional feature that you must install. You can do so using the Add features option that’s available from the Initial Configuration Tasks window or—after installation—from Server Manager.
You can use BitLocker without a TPM for protecting your OS drive and for protecting fixed or removable data drives. Using BitLocker without a TPM to protect OS drives involves a BitLocker setup process that’s slightly different from the standard process that I outline later in the article; it also requires an additional GPO tweak that you must make prior to starting the BitLocker setup process.
To protect your OS drive with BitLocker in the absence of a TPM, you need a removable USB memory device and a computer equipped with a BIOS that can boot from that device. This requirement is necessary because the USB drive holding the BitLocker encryption key must be connected and readable through the BIOS when your system starts. The user must then insert the USB drive during startup to unlock the encrypted OS drive.
Before you can use BitLocker on your OS drive without a TPM, you must change the default behavior of the BitLocker Drive Encryption wizard. If your system doesn’t have a TPM, if your TPM is disabled, or if your TPM is set in the BIOS to be hidden in the OS, the BitLocker Drive Encryption wizard will display the error message shown in Figure 1 during the initialization phase. The wizard then also forces you to abandon the BitLocker setup—the Cancel button is the only option.
A GPO setting lets you change this default behavior. (Administrators can use a domain-based GPO to globally change the setting.) To change the behavior of the BitLocker Drive Encryption wizard on your Server 2008 R2 or Windows 7 machine, start Group Policy Editor (GPE). Click Start, Run, type gpedit.msc, and press Enter.
Navigate to the Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System Drives GPO container. Double-click Require additional authentication at startup (for configuring Server 2008 R2 or Windows 7 systems) or Require additional authentication at startup (Windows Server 2008 and Windows Vista (for configuring Server 2008 or Vista systems). Then click Enabled to enable changes to the policy, as Figure 2 shows.
If the Allow BitLocker without a compatible TPM option isn’t selected, select it now. Click OK and close GPE. Use gpupdate.exe to update the GPO settings on your machine from the command line.
After you make the GPO change, the BitLocker Drive Encryption wizard will no longer generate a TPM error during initialization. The wizard will offer the Require a Startup key at every startup option as the only startup preference. When you click this startup preference, the wizard will prompt you to insert a removable USB memory device to save the startup key. After the BitLocker Drive Encryption wizard completes successfully, you’ll be prompted to plug in the BitLocker USB key every time your system boots.
A similar GPO setting is available in Server 2008 and Vista. This setting is located in the Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption GPO container’s Control Panel Setup: Enable Advanced Startup Options entry.
On Server 2008 and Vista, you need to prepare your OS drive before you can protect it with BitLocker. BitLocker requires a special system partition to store system files that can’t be encrypted and that are required to start or recover the OS. You can create this special system partition using the BitLocker Drive Preparation Tool. For information about the tool, including instructions for installing it, see the Microsoft article “Description of the BitLocker Drive Preparation Tool.” In Server 2008 R2 and Windows 7 this tool is integrated into the BitLocker Drive Encryption wizard.
The Encryption Process
The BitLocker Drive Encryption wizard makes setup easy, if not quick. The wizard can take a long time to run—possibly several hours depending on the drive size. Encrypting my 45GB data drive with BitLocker took about two hours. The good news is that the encryption occurs in the background and your computer is still useable during this time. However, I still recommend that you do nothing else on your machine until the encryption process is finished because your computer might run more slowly.
Before you start the BitLocker Drive Encryption wizard, make sure you have a full backup of the data on the drive you want to protect with BitLocker. Although the wizard is robust, it’s still possible for something to go wrong (e.g., a drive hardware failure).
To start the BitLocker Drive Encryption wizard, go to the Control Panel BitLocker Drive Encryption applet. You’ll see a list of all the available volumes that can be encrypted with BitLocker (OS, fixed, and removable drives). If you see a warning message—for example, a warning that there’s no TPM present—then you must first complete the steps outlined in the previous section.
In the BitLocker Drive Encryption applet, select Turn on BitLocker for the drive you want to protect to start the BitLocker Drive Encryption wizard. You can also right-click the drive icon in Windows Explorer and select Turn on BitLocker to start the wizard.
The BitLocker Drive Encryption wizard presents you with a series of options to unlock the drive, as Figure 3 shows.
These options include Use a password to unlock the drive, Use my smart card to unlock the drive, and Automatically unlock this drive on this computer. Unless you choose to automatically unlock the drive, you must provide a password or smart card and associated PIN when you want to access the protected data drive. The option to automatically unlock the drive is available only for fixed data drives if your OS drive is also BitLocker protected—in which case the data drive is automatically unlocked when you log on to Windows. If you want to use a smart card to unlock your drive, you need a special certificate and private key on your smart card. For information about how to obtain such a certificate from an internal Certification Authority (CA) or how to generate a self-signed certificate for this purpose, see Microsoft’s “BitLocker Drive Encryption Step-by-Step Guide for Windows 7.”
The wizard gives you the option to save the BitLocker recovery password to different locations: to a USB flash drive, to a file, or as a printed document. The BitLocker recovery password is of critical importance; it lets you regain access to your data if you forget your unlock password or lose your unlock smart card. I recommend that you always save at least two copies of the recovery password. If you use a USB drive, you shouldn’t use the drive for anything else. Note that you can use the BitLocker Drive Encryption applet’s Manage BitLocker option to make more backups of the recovery key after the wizard is finished.
At this point the wizard presents you with a screen that asks whether you actually want to start the encryption process. Click Start Encrypting to proceed.
When the encryption process starts, Windows displays an encryption progress bar. On removable data drives you have the option to pause and resume the encryption process (use the Pause button to pause). This option is useful if you need to remove the drive during encryption. The pause and resume option isn’t available during OS or fixed drive encryption. Click Close when the encryption process completes.
You can easily see whether a drive is BitLocker protected by checking its drive icon in Windows Explorer. When a drive is encrypted its drive symbol is covered with a lock symbol. A gold closed lock indicates that the drive is locked; a gray open lock is displayed after you unlock the drive. To unlock an encrypted drive, right-click it and select Unlock Drive. The unlock screen displays, where you can enter your unlock password, as Figure 4 shows.
Note that the Automatically unlock on this computer from now on option can be used only if your OS drive is also BitLocker protected.
BitLocker’s File-Integrity Checking
Using BitLocker with a TPM for protecting an OS drive has advantages and disadvantages. In addition to volume-level encryption, BitLocker also provides a file-integrity checking mechanism. As I mentioned earlier, this mechanism automatically assesses the status of boot files such as the BIOS, MBRs, and the NTFS boot sector when the system boots and before the OS starts. If a hacker inserts malicious code into one of the boot files or modifies one of the files, BitLocker will detect it and block the OS from starting. BitLocker will then enter into recovery mode, and you’ll need the BitLocker recovery password or recovery key to regain access to the system.
Despite the advantages of BitLocker’s file-integrity checking mechanism, BitLocker adds TPM setup and management complexity to your environment. These disadvantages shouldn’t be underestimated in large BitLocker deployments, especially from a total cost of ownership (TCO) point of view.
Improved Security
BitLocker can add great security value to your Windows platforms for protecting OS, fixed, and removable data drives, even without a TPM. The Server 2008 R2 and Windows 7 version of BitLocker competes with third-party encryption tools—and surpasses them when it comes to integration with the Windows OS and its built-in management tools.
About the Author
You May Also Like