Scribd Logo
Upload

Welcome to Scribd!

  • Enable BitLocker Without a TPM

    Uploaded by

    gabytgv
    56 views8 pages
    bbit

    Original Title

    Configuring BitLocker With a TPM Chip in Windows 7 and Windows 8

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    bbit

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    56 views8 pages

    Enable BitLocker Without a TPM

    Uploaded by

    gabytgv
    bbit

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Enable BitLocker Without a TPM Chip in

    Windows 7 & Windows 8

    BitLocker is a tool included in Windows Vista, Windows 7 (Enterprise and Ultimate) and
    Windows 8 (Pro and Enterprise) that can be used to encrypt data on any drive. However, in order to
    encrypt your system drive, you must have a TPM chip in your computer. If you dont, it is still possible to
    use BitLocker but you need to set Windows so that it allows the use of BitLocker without this chip. In this
    article I will first explain the use of a TPM chip (what it is and why it is used) and how to set both
    Windows 7 and Windows 8 so that they do not to require this chip order to encrypt your system drive
    with BitLocker.

    1. What is a TPM (Trusted Platform Module) Chip?


    A TPM chip is a device used to generate secure & unique cryptographic keys and store them in an
    encrypted fashion, so that this data can be used to authenticate hardware devices. The cryptographic keys
    are encrypted and can be decrypted only by TPM chip which created and encrypted them.

    Encryption software like BitLocker in Windows Vista, Windows 7 and Windows 8 use the TPM chip to
    protect the keys used to encrypt your computers data. Then, it is used to authenticate your encrypted
    computer and give you access to all the encrypted data when the device trying to access it is identified as
    trusted. Since the key stored in each TPM chip is unique to that device, encryption software can quickly
    verify that the system seeking access to the encrypted data is the expected system and not a different one.

    Figura1. TPM Chip


    2. Use BitLocker Without a TPM Chip
    If you are trying to use BitLocker to encrypt your system drive and you dont have a TPM chip in
    your computer, you will receive an error message. In Windows 7 the message states: "A compatible
    Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not
    found. Please contact your system administrator to enable BitLocker."

    Figura2. Enable Bitlocker for Windows 7

    In Windows 8, the message is even more clear: "This device cant use a Trusted Platform Module.
    Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Require
    additional authentication at startup" policy for OS volumes.".
    Figura3. Enable Bitlocker in Windows 8

    3. Open the Local Group Policy Editor


    When you decide to implement Bitlocker on workstation, you can use full system drive encryption with
    BitLocker, even if you do not have a TPM chip in your computer. However, in order for this to work, you
    need to edit a policy in Windows, with the help of the Local Group Policy Editor tool. To launch this tool,
    search for the word "group" or the words "group policy" in the Start Menu search box, in Windows 7.

    Figura4. Local Group Policy Windows 7


    In Windows 8, search directly on the Start Screen and go to the Settings section to see the appropriate
    search results. Click or tap on the Edit group policy search result to open the Local Group Policy Editor
    tool.Alternatively, you can use the Run window to run this command: gpedit.msc.

    Figura5. Local Group Policy Windows 8

    4. How to Modify the BitLocker Drive Encryption Policy


    This is how the Local Group Policy Editor should look like:

    Figura6. Local Group Policy Snap In

    On the left-hand panel, go to the Computer Configuration section and open the following folders:
    Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System
    Drives.
    Figura7. Identify Bitlocker Drive Encryption in Local Group Policy

    Now look to the right hand panel and search for a setting named: "Require additional authentication at
    startup".

    Figura8. Identify policy for Bitlocker to work without TPM


    Double click on it to open this setting. Now, change its value to Enabled. Then, check the option which
    says "Allow BitLocker without a compatible TPM" and press OK.

    Figura9. Configuring Policy for Bitlocker without TPM

    On the left-hand panel, go to the Computer Configuration section and open the following folders:
    Administrative Templates -> Windows Components -> BitLocker Drive Encryption

    Figura10. Configuring Bitlocker drive encryption method


    Now look to the right hand panel and search for a setting named: "Choose Drive Encryption Method and
    Cypher Strenght".

    Figura11. Configuring policy for Choose Drive Encryption Method and Cypher Strenght"

    Edit This Option


    Figura12. Modify Policy

    When done, close the Local Group Policy Editor. You can now use BitLocker to encrypt your system drive
    without having a TPM chip in your computer. If you will want to set things back to the way they were,
    follow the same procedure and set "Require additional authentication at startup" to Not Configured.

    You might also like