Before you start
Objectives: Learn how to configure BitLocker in Windows 7 without a TPM chip available.
Prerequisites: you have to know what is BitLocker.
Key terms: BitLocker, configuration, Windows 7, TPM
BitLocker Configuration
The first requirement for BitLocker is that our computer should have a TPM chip installed on the motherboard. The TPM chip must be enabled in the BIOS. After that we can go to the BitLocker configuration in Windows. We can find BitLocker in Control Panel, and the screen looks like this.
BitLocker Screen
As we can see, here we can turn on BitLocker. When we click that option, the BitLocker wizard will appear. The thing is, in our case, our computer doesn’t have a TPM chip installed. If that’s the case, we will get the following message.
TPM Missing Message
However, we can still enable BitLocker, even if we don’t have a TPM chip. To do that, we have to configure some Group Policy options. So, let’s open group policy editor by entering “gpedit.msc” in search, and allow BitLocker configuration without TPM. Keep in mind that for this to work we have to have a removable USB key available to store the recovery key information. In Local Group Policy Editor we will go to Computer Configuration > Administrative Templates > Windows Components > BitLocker > Operating System Drives. Here we will select “Require additional authentication at startup” policy. We will enable this policy and also select the option “Allow BitLocker without a compatible TPM”.
BitLocker without a TPM
When we click OK, we can go back to the BitLocker configuration in Control Panel. This time we will see a different screen, like this.
Startup Options
Note that now we can select the “Require a Startup key at every startup”. Before we select that option, we should have a USB flash drive inserted, on which the startup key will be stored on. So, when we move on, we will select the USB key (ROKI (E:) in our case).
USB Disk Selection
The startup key will be saved on the USB disk, but on the next screen we will be given an option to save the recovery key as well. We can also print the recovery key, which will look something like this.
Recovery Key Storage
In our case we will also save the recovery key to the USB flash drive. On the next screen we will have an option to run BitLocker system check, which will ensure that BitLocker can read the recovery and encryption keys correctly before encrypting the drive. When we click the “Start Encrypting” button, the encrypting process will begin, but we will be able to continue working until the process finishes. From this point on, to turn on our computer we will have to have a USB drive with the startup key inserted in our computer.
When the encryption finishes, we will get two more options on the BitLocker window in Control Panel. As we can se, we can now suspend protection and we can manage BitLocker.
BitLocker Options
The Suspend Protection option won’t decrypt back the drive, it only pauses the protection so that we can make certain boot changes if we need to, and then reconfigure the BitLocker. If we click the Manage BitLocker option, we will see options to Save or print our recovery key again, or to duplicate the startup key.
Manage BitLocker
If we try to boot without our startup key (USB stick removed), we will get the following message.
BitLocker Warning
To fix this, we have to enter the USB flash drive, and then hit the Escape key.
Configuring Recovery Agents
When configuring recovery agents, the firt thing we have to do is to generate a set of recovery keys. To do so, we will open command line. In our case, we have logged on with the Admin user and we will generate keys for that user. In CMD we will enter the command: “cipher /r: RAAdmin”. The name of the file will be “RAAdmin”. After that we will have to type in the password to protect our PFX file.
Cipher Command
Keep in mind that your files will be created in your current working directory. The next thing we have to do is load our certificates. To do that we will open Local Group Policy Editor and navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption. To add the recovery agent, we will go to Action (or right-click “BitLocker Drive Encryption), and then select “Add Data Recover Agent.
Adding Data Recovery Agent
The Wizard will appear. In the Wizard we will first have to browse for the folder where we have saved our certificate file that we have created using cipher command.
Certificate Selected
So, the certificate actually designates the user account. We are taking this certificate for this user account, and specifying it as the recovery agent. In that way, this user account will be able to recover BitLocker enabled drives.
List of Users
In Active Directory environment, we would get these certificates from Active Directory Certificate Server. That way a single user account can be used on any computer in the environment to recover BitLocker encrypted drive. This way we can even install hard drive from one machine to another and use the recovery agent to recover files from BitLocker encrypted drive.
The next thing to do is to configure group policies for BitLocker. To do that, in Local Group Policy Editor we will navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. We will edit the policy named “Provide the unique identifiers for your organization”. Here we can specify the identifier that will be inserted into the BitLocker drive every time a new drive is encrypted. When we set this, the DRA will only be able to unlock drives that have this identifier. Under other sections we can configure how our drives can be recovered. For example, under Operating System Drives section, we will configure the “Choose how BitLocker-protected operating system drives can be recovered” policy. In our case we will enable this policy and select the “Allow data recovery agent” option. This way, the recovery agent we specified earlier will be able to recover BitLocker-protected operating system drive. We should do the same thing with other types of drives.
DRA Enabled
Once we set this policies, we will be able to recover BitLocker-protected drives using the specified recovery agent (Admin user in our case), in case the encryption keys are lost. Keep in mind that this is the first step we should take before we start to use BitLocker, especially in Active Directory environment. In case we already started using BitLocker on some drives, we can run the “manage-bde -setidentifier {drive letter}” command to update encryption information on those drives. In our case we will update our C: drive.
Setting Identifier on C:
To restore a locked drive, we can use the -unlock switch together with the manage-bde command.