Note on BitLocker disk encryption without a TPM chip

Posted: 5.3.2014 14.54.14 (EET/GMT+2)

I've recently developed a software solution that run locally on a laptop in a factory here in Finland. The laptop runs custom C# software and a virtual machine, and one very important part of this solution is security, both on the hardware and software level.

One part of the solution is the encryption of the hard drive of the said laptop. Windows 8 contains nice support for BitLocker, and this is easy to enable from the right-click menu of the system drive in Windows Explorer.

However, BitLocker expects to find a TPM chip on the computer, but not all laptop models (especially entry-level ones) contain this chip. If you try to enable BitLocker on such a computer, BitLocker will say it cannot complete the encryption because a TPM chip was not found.

Luckily, you can tweak the computer settings to allow BitLocker nonetheless, but there's a caveat: when you reboot the machine, you have to manually enter the BitLocker password. If you instead had the TPM chip, you would simply see a normal Windows logon screen, as the encryption keys can be stored inside the TPM chip.

Here are quick instructions on enabling BitLocker on machines without a TPM chip. First, start the Windows Local Group Policy Editor by running the command "gpedit.msc". Next, from the tree on the left, navigate to the path Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives.

Next, open the setting named "Require additional authentication at startup" and enable it from the top-left corner of the dialog box. At the bottom-left, enable the option to "Allow BitLocker without a compatible TPM" and click OK.

At this point, you're good to go!

Finally, a note on entering the BitLocker password. Since this questions is made before Windows has loaded, it seems you only have the option to enter your password using an U.S. English keyboard. If you have special characters in your BitLocker password and are using a non-US keyboard, be sure to learn how you can enter those special characters.

Tip: By pressing the Insert (Ins) key while the password prompt is in front of you, you can see the characters you've entered.