Single Blog

Preparation

The first thing to do is enable the TPM in your motherboard BIOS, consult your computer / motherboard documentation on how to do this. When this is complete you will need to initialize the TPM in Windows.

In a Run box type TPM.msc and click OK

Now click the Initialize button.

Now follow the instructions in the TPM Initialization wizard, this will probably involve a reboot and you may be prompted to accept the transfer of ownership of your TPM to Windows, this will be propitiatory to your computer / motherboard vendor.

When you have rebooted you will be prompted to create a TPM Owner Password. You can choose to generate a password automatically or input your own. Make your choice and click next. You will then be prompted to save the password or print it. If you save it I would save it to the USB Stick you will be using for your recovery key.

When you have done this click 'Initialize' then 'Close'.

 

The next thing to do is set-up the policy. If you want to enable FIPS 140 compliance now is a good time to do it.

In a Run box type 'gpedit.msc' and click 'OK'

In 'Local Security Policy Editor''click to browse through'Computer Configuration‘, ‘Administrative Templates‘, ‘Windows Components‘, ‘Bitlocker Drive Encryption‘, 'Operating System Drives'‘

Double Click on 'Require additional authentication at startup‘

Click 'Enabled' to enable the policy

Check 'Allow BitLocker without a compatible TPM'.

Set:

'Configure TPM startup' to 'Do not allow'
'Configure TPM startup PIN' to 'Do not allow'
'Configure TPM startup key' to 'Do not allow'

Set 'Configure TPM startup key and PIN' to 'Require startup key and PIN with TPM'

Apply and OK

Step 1: Open Command Prompt with Administrative Privileges

1. Click Start and type cmd.
2. Right-click Command Prompt and select Run as administrator.

Step 2: Encrypt the Disk Using USB Key, Startup Key, and Recovery Key

This step adds a protection mechanism that requires three factors to unlock drive C::

• TPM (Trusted Platform Module) – Must be present and enabled.
• PIN – A password that you define.
• Startup Key – A key stored on a USB drive (eg, E:) required at system startup.

Run the following command in Command Prompt:

manage-bde -protectors -add C: -TPMandPINandStartupKey -tp YourPasswordGoesHere -tsk E:

Replace YourPasswordGoesHere with your chosen PIN.

Step 3: Create a Recovery Key

A Recovery Key ensures access to encrypted data if the main key is lost or forgotten.

Run the following command to generate a Recovery Key and save it on the USB drive (E:):

manage-bde -protectors -add C: -RecoveryKey E:

This creates a unique key file on the E: drive, which can be used to unlock the encrypted disk.

Step 4: Add a Recovery Password (Optional)

Instead of using a USB Key for recovery, you can enable a Recovery PIN.

Run the following command to add a Recovery Password:

manage-bde -protectors -add C: -RecoveryPassword

This command:

• Generates a 48-digit unique Recovery Password.
• Allows unlocking if:
  • The USB Key is unavailable.
  • The TPM PIN is forgotten.

Step 5: Retrieve and Manage the Recovery Password

The view or store the Recovery Password, use the following command:

Run:

manage-bde -protectors -get C:

This displays:

• All active protection methods on C:.
• The Password Recovery, which you should store safely.

 

Step 6: To begin the encryption leave the USB stick in the PC and then type the following command

manage-bde -on C:

 

Final Notes

• Make sure that your USB Key is always available during startup.
• Store the Recovery Key & Password in a safe location.
• If you lose both Startup Key and Recovery Key, access to your data will be permanently lost.

Now your system is secure with BitLocker encryption, protecting it with TPM, PIN, USB Key, and Recovery Key!