BitLocker question

Undervalued

Hopefully somebody who understand Windows 10 better than me can advise.....

My main machine (Win 10 Pro) has a Samsung SSD as drive C plus a pair of conventional hard disks working via a Raid controller as Drive E. For reasons I have never understood it also has a tiny "Disk" D (only about 500 Mb) which I never use.

For security I wanted to encrypt it with BitLocker and this seems to have worked fine for the Raid Drive E and indeed for the tiny unused Drive D. The only snag is I have to separately enter an additional password to access each of these drives after a reboot and logging in to Windows.

However when I went to setup BitLocker on Drive C (The SSD with the operating system etc) I get the following.....

This device cannot use a trusted platform module. Your administrator must set the Allow Bitlocker without a TPM option in the require additional authentication at startup.........

Can some kind person explain that to me and advise if I should go ahead? If so, where and how do I set the "allow" option?

Thanks.

Neil_Jones

The TPM thing is an option in the system BIOS which you need to switch on if its available. Older machines won't have this.

Do bear in mind of course if you bitlock the system drive and lose or forget your password the entire lot will probably be unrecoverable and you will most probably have to replace a perfectly good drive.

Undervalued

Neil_Jones wrote: »

The TPM thing is an option in the system BIOS which you need to switch on if its available. Older machines won't have this.

Do bear in mind of course if you bitlock the system drive and lose or forget your password the entire lot will probably be unrecoverable and you will most probably have to replace a perfectly good drive.

OK, I will have a look in the BIOS later.

Why did this not affect the E drive?

Also, I obviously take you point about losing data if the password is forgotten by why would it prevent re-partitioning the drive (for example with GParted)?

Thanks.

Peter999_2

You can still use Bitlocker without a TPM chip, you just need to make some group policy changes as explained here.


https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10

Undervalued

Peter999 wrote: »

You can still use Bitlocker without a TPM chip, you just need to make some group policy changes as explained here.


https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10

Thanks for the link which I will read fully later.

What I still don't understand (and at a quick glance can't spot in the link) is why this TPM business would affect one of my disks but not the other?

marty2be2000

If you enable bitlocker without a TPM chip then you will need to enter a password each and everytime you reboot your computer before it even starts loading windows. As mentioned earlier, if you forget this password or the windows boot loader gets messed up then you will lose all your data unless you have a copy of the massively long bitlocker recovery keys for all the encrypted volumes.

If you enable bitlocker with the TPM chip enabled the computer will boot normally and load windows without any password requirement. You will still need the recovery key because if the computer detects specific hardware changes then it will prompt for the recovery key. For example my works laptop with encrypted system drive decided the USB docking station with keyboard, mouse and monitor connected were to many changes and would not boot until the key was entered.

TPM is needed so the bios and windows OS know how to boot, TPM is the second oart of dual factor. The security keys must match to enable seemless boot. Your other drives are different because windows is already running, so all you need is a password. Windows stores the required keys encrypted in the registry and does not need the TPM chip.

Peter999_2

Undervalued wrote: »

Thanks for the link which I will read fully later.

What I still don't understand (and at a quick glance can't spot in the link) is why this TPM business would affect one of my disks but not the other?

I've been looking into BitLocker. The reason it affected your drives differently is because BitLocker differentiates between a "Fixed Drive" and "Operating System Drives" and can have different settings for them.


If you go into policy editor (gpedit.msc) and choose Computer Configuration-Administrative Templates-Windows Components-Bitlocker Drive Encryption you will see what I mean.

Undervalued

Peter999 wrote: »

I've been looking into BitLocker. The reason it affected your drives differently is because BitLocker differentiates between a "Fixed Drive" and "Operating System Drives" and can have different settings for them.


If you go into policy editor (gpedit.msc) and choose Computer Configuration-Administrative Templates-Windows Components-Bitlocker Drive Encryption you will see what I mean.

Thanks, I will do that and fully read the article you linked some days back as soon as I get a chance. It is not greatly urgent but I would like to resolve it.

I will post back but it may well be several days.