windows 7 - Bitlocker without TPM: does the USB drive have to remain in the laptop?

07
2014-07
  • Michel

    I'm using TrueCrypt to encrpyt my harddrive, but with the vague ending of this product, I want to switch to Bitlocker.

    As I don't have a TPM chip in my laptop, I want to use a USB drive to authenticate.

    Now my question is: when I startup my laptop the USB drive has to be present in my laptop I assume, but does it has to stay there after starting up?

    The reason I ask is this: if it doesn't have to remain there, I can buy a very small USB drive that I can put on my keychain and only use to unlock; if however the USB drive has to remain on my laptop I wil not do this because my carkeys will be attached to my laptop the whole day ;-)

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    windows 7 - Change Bitlocker to use the TPM plus a USB key and a PIN
  • Christopher Edwards

    I have bitlocker running on Windows 7 (x86) on a Dell D630 laptop (it has a 1.2 TPM).

    It is running in transparent mode.

    I'd like to know how to configure it to use a PIN and a USB key as well, but I can't find anything that looks like it does this in the UI.

    Does anyone know how to do this?

    Do I have to remove bitlocker and re-enable it??

    (This should be possible according to this - http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption)


    • Related Answers
  • caelyx

    According to Matthias Hamann here:

    To the great relief of any paranoid encryption junkie, Microsoft decided to add another mode, which requires TPM + PIN + USB Key to start up your computer. This feature was introduced with Service Pack 1 for Vista and makes it really hard for an attacker to get hold of your authentication details if you don’t write your PIN on your USB stick or get “questioned” by someone with a blow torch and a pair of pliers.

    So how does it work? Well, although there is no GUI option for this new mode, it’s surprisingly simple to activate:

    1. Click on the Vista logo / start button.
    2. Type cmd in the search box and do NOT hit enter.
    3. Right-click on the command prompt item (cmd.exe) and select “Run as administrator” from the context menu.
    4. Enter cscript manage-bde.wsf -on c: -rp -rk d: -tpsk -tp 1234567 -tsk e: and hit enter. (“c:” is the drive which you want to encrypt / your OS volume; “d:” is the drive where the recovery key will be stored at; “1234567” is your secret PIN, which can consist of up to 20 digits; “e:” is your USB key.)
    5. Write down the recovery password and hide it at a SAFE location (e.g., under your keyboard ).
    6. Type exit and hit enter.
    7. DONE!