BitLocker and Active Directory | Administering Windows Vista Security: The Big Surprises

Using BitLocker without a TPM

It is a simple fact that, right now, not many computers have TPM version 1.2 chips and BIOS that are compliant with Vista and meet the TCG specifications. As time marches on, most new computers will include these features. As for existing computers…well, hardware companies would normally rather sell you a new computer than spend a lot of money updating the old ones, but most appear to be issuing new BIOS updates for recently manufactured computers. But, if your computer has an older TPM chip (such as version 1.1) they cannot be upgraded. (Remember, they are a hardware security device, after all.)

A computer without a compatible TPM cannot use the pre-OS boot validation features that a TPM and its PCRs offer. However, non-TPM can use the encryption feature with a startup key (a USB flash memory device).

You will notice, however, that if you try to enable BitLocker on a computer without a TPM, you will not be able to do so, by default. The BitLocker user interface was designed to be as simple and clean as possible, for the typical user, and to leverage the security provided by a TPM. In order to enable key protectors (with a TPM) or to use BitLocker at all without a TPM, you must configure BitLocker to use advanced setup options. You configure this mode using Group Policy or the local computer policy settings.

Here are the steps to do so with local policy settings on one computer:

Click Start, and type gpedit.msc in the Search box. Press Enter.
From the Group Policy Object Editor screen, click Local Computer Policy Administrative Templates Windows Components and double-click BitLocker Drive Encryption.
Choose Control Panel Setup: Enable Advanced Setup Options. You will see the "Setup Wizard Configure startup" option for "TPM computers" dialog box.
Change the selection to Enabled and choose "Allow BitLocker without a compatible TPM." Then click OK.

Note

Between steps 1 and 2, you will see a UAC prompt, which you're probably becoming familiar with by now. You can also use any method you like to reach the local computer policy settings or a Group Policy object that applies to this computer.

When used without a TPM, a startup key is markedly different than a startup key used with a TPM. When used with a TPM, the startup key and the TPM data are combined as one key protector. On the other hand, a startup key used without a TPM is a key protector all on its own.

When enabling BitLocker on a non-TPM computer, a new recovery key is created and written to the USB drive. Thus, the USB drive holds a binary key that can directly decrypt the VMK. The USB startup key is then the only thing needed to access the BitLocker protected volume. In fact, a USB startup key on a computer without a TPM is exactly the same thing as a "recovery password stored to a USB drive" on a computer with a TPM. In other words, without a TPM, you are using a recovery key on a USB drive every time you start the computer. This is depicted in Figure 5.6.

image from book
Figure 5.6: BitLocker on a computer without TPM

Summary of Key Protectors

Sometimes, keeping track of the different key protectors can make your head spin. Table 5.2 will help.

Table 5.2: Key Protectors
Open table as spreadsheet
Name	Command line Term	Descrip.	Notes	Computer can auto start?	Requires TPM 1.2	User must present object (USB drive)	User must enter data
TPM Only	`-tpm`	Uses the TPM to encrypt, seal, and wrap the VMK.	Created by default. TPM will not unseal the VMK unless the integrity check passes.	Yes	Yes	No	No
Recovery Password	`-Recovery Password -rp`	A 48-digit number that can be typed by a user for recovery.	Either a recovery key or recovery password is created by default. Can be easily stored in AD DS.	No	No	No	Yes (48 digits)
Recovery Key	`-Recovery Key -rk`	A binary key used to encrypt the VMK.	Called a "recovery password" in the setup wizard for simplicity. Either arecovery key or recovery password is created by default. A recovery key is written in machine-readable form to a USB drive.	No^[*]	No	Yes	No
Startup Key (for non-TPM computers)	`-Startup Key -sk`	A binary key used to encrypt the VMK.	Stored on a USB drive and behaves identically to a recovery key. Cannot decrypt the VMK if the USB drive is not present.	No^[*]	No	Yes	No
TPM+PIN	`-TPMAndPIN -tp`	Uses the TPM to encrypt, seal and wrap the VMK, but sets auth data in the TPM	TPM will notunseal the VMK unless the integrity check passes and the correct PIN is entered.	No	Yes	No	Yes (4 to 20 digits)
TPM+USB Startup Key	`-TPMAnd Startup Key -tsk`	Uses the TPM to encrypt, seal, and wrap part of an intermediate key, and stores the other part on a USB drive. The VMK is encrypte d with the intermediate key.	TPM will notunseal the partial key unless the integrity check passes. Cannot create the intermediate key or decrypt the VMK if the USB is not present.	No^[*]	Yes	Yes	No
Clear Key (Bit-Locker "Disabled Mode")	Use the `disable command`	Encrypts the VMK with a new key, and writes the new key in cleartext to the volume meta-data.	Used when temporarily disabling BitLocker when you don't want to decrypt the data itself. Offers no protection, disables BitLocker.	Yes	No	No	No
^[*]Unless the USB drive is left sitting in the USB port. But the readers of this book are so naturally good-looking and innately intelligent that they would never even consider such a foolish thing. And they have great taste in books.