Bitlocker: USB & Password (No TPM)

TL;DR

You can use Bitlocker without a Trusted Platform Module (TPM) by using a startup USB key and requiring a password. This guide shows you how to set it up, recover if things go wrong, and important considerations.

Setting Up Bitlocker Without TPM

1. Check your Windows Edition: Bitlocker is available in Pro, Enterprise, and Education editions of Windows. Home edition does not include Bitlocker.
2. Enable BitLocker:
   • Open Control Panel → System and Security → BitLocker Drive Encryption.
   • Find the drive you want to encrypt (usually C:) and click Turn on BitLocker.
3. Choose How to Unlock:
   • Select both options:
     • Use a password to unlock the drive – Enter a strong, memorable password.
     • Use a startup key (USB flash drive) – Insert a USB flash drive; Bitlocker will store the encryption key on it. Make sure this is a separate drive from your OS drive!
4. Save Recovery Key: This is crucial!
   • Bitlocker will generate a recovery key (a long string of numbers). You have several options:
     • Save to your Microsoft account: Recommended for easy access.
     • Save to a file: Store this file in a safe place – not on the drive you’re encrypting! Consider an external hard drive or cloud storage.
     • Print the recovery key: Keep the printed copy secure.
5. Choose Encryption Mode:
   • For new PCs, New encryption mode is usually best (more secure).
   • For older PCs or compatibility issues, you might need to choose Compatible mode.
6. Run Encryption: Choose whether to encrypt the entire drive now or during startup. Encrypting during startup will require a reboot.
   • Select Start encryption and follow on-screen instructions.

Recovering Bitlocker if You Forget Your Password or Lose the USB Key

1. Password Recovery:
   • At the login screen, enter an incorrect password several times. Windows should offer a recovery option.
   • If prompted, enter your Microsoft account details (if you saved the key there).
2. Startup Key Recovery:
   • Insert a different USB drive. If Bitlocker detects no valid startup key, it should prompt for recovery options.
   • Enter your Microsoft account details or paste the recovery key from the file you saved earlier.
3. Using Command Prompt (Advanced): This is a last resort and requires technical knowledge.

   manage-bde -unlock C: -recoverykey {your_recovery_key}

   Replace C: with your drive letter and {your_recovery_key} with the actual recovery key.

Important Considerations

• Backup Your Recovery Key: Seriously. Losing this is like losing the only key to your data. Store multiple copies in different secure locations.
• USB Drive Security: Keep your startup USB drive safe. If it’s lost or stolen, anyone could access your encrypted data.
• Password Strength: Use a strong password that is difficult to guess.
• Firmware Updates: Be cautious when updating your computer’s firmware (BIOS/UEFI). Sometimes updates can interfere with Bitlocker and require the recovery key even if everything is working correctly.
• cyber security Best Practices: Regularly update Windows and use anti-malware software to protect against threats that could compromise your encryption.