Microsoft introduced BitLocker Drive Encryption (BDE), or BitLocker, in Windows Server 2008 and Windows Vista. BitLocker offers volume-level data encryption for data stored on Windows clients and servers and protects the data when systems are offline (i.e., when the OS is shut down). BitLocker can prevent data breaches such as the theft of confidential corporate data on employee laptop computers. In previous Windows versions this protection wasn't possible without a third-party product.
BitLocker can also offer an integrity-checking mechanism that makes the OS itself more resilient in the face of attacks. When BitLocker is applied to the system volume, it can provide a file-integrity checking feature that automatically assesses the status of boot files such as the BIOS, Master Boot Records (MBRs), and the NTFS boot sector when the system boots and before the OS starts. If a hacker inserts malicious code into one of the boot files or modifies one of the files, BitLocker will detect it and block the OS from starting.
The first version of BitLocker had some shortcomings that Microsoft addressed in the newer OS releases. In the initial release, only a single volume—the OS drive—could be BitLocker protected. In Server 2008 and Vista SP1, Microsoft added support for BitLocker protection of different volumes, including local data volumes. In Server 2008 R2 and Windows 7, Microsoft added BitLocker support for removable data drives (e.g., memory sticks, external data drives). This feature is called BitLocker To Go. For an overview of the disk configurations that BitLocker supports, see Microsoft’s “BitLocker Drive Encryption in Windows 7: Frequently Asked Questions.” Server 2008 R2 and Windows 7 also come with an extended set of BitLocker Group Policy Object (GPO) configuration settings, including a new data recovery agent feature that allows centralized recovery of the BitLocker-protected data in an Active Directory (AD) forest.
In this article I explain how you can leverage BitLocker without using a Trusted Platform Module (TPM). A TPM is a special security chip that’s built in to most of today’s PC motherboards. Using BitLocker with a TPM adds security value, but it also adds setup and management complexity and overhead. In addition, many organizations still have older computers that don't have TPMs. You can’t add a TPM to a computer; it’s either part of the system’s design, or it isn’t.
Fortunately, Microsoft included several configuration options in BitLocker that make it usable on systems that don't have a TPM. I’ll walk you through the steps to get BitLocker up and running on a computer that doesn't have a TPM, I’ll explain which tools you need instead, and I’ll cover best practices you can follow.
Protecting the OS Drive Without a TPM
BitLocker is available in all Server 2008 R2 and Server 2008 editions (except the Itanium edition); Windows 7 Ultimate and Enterprise; and Vista. On Windows 7 and Vista the BitLocker logic is installed as part of the OS installation process. On Server 2008 R2 and Server 2008, BitLocker is an optional feature that you must install. You can do so using the Add features option that’s available from the Initial Configuration Tasks window or—after installation—from Server Manager.
You can use BitLocker without a TPM for protecting your OS drive and for protecting fixed or removable data drives. Using BitLocker without a TPM to protect OS drives involves a BitLocker setup process that’s slightly different from the standard process that I outline later in the article; it also requires an additional GPO tweak that you must make prior to starting the BitLocker setup process.
To protect your OS drive with BitLocker in the absence of a TPM, you need a removable USB memory device and a computer equipped with a BIOS that can boot from that device. This requirement is necessary because the USB drive holding the BitLocker encryption key must be connected and readable through the BIOS when your system starts. The user must then insert the USB drive during startup to unlock the encrypted OS drive.