Table of Contents
Introduction
BitLocker Drive Encryption is a full disk encryption feature included in certain versions of Windows that allows you to encrypt entire drives on your computer. It can help protect your data in case your computer is lost, stolen, or compromised.
BitLocker relies on a Trusted Platform Module (TPM) chip to provide enhanced security by storing encryption keys. However, you can still use BitLocker without a TPM chip with some limitations. This article explains how BitLocker works, the security implications of using it without a TPM chip, and step-by-step instructions for enabling BitLocker encryption on a drive without TPM.
How BitLocker Works
BitLocker encrypts entire drives by generating an encryption key and using it to encrypt the drive. On computers with a TPM chip, BitLocker stores this key within the TPM hardware. This prevents unauthorized access to the encryption key even if the drive is removed from the computer.
The TPM chip also helps validate the computer’s boot components. This ensures no unauthorized changes have been made that could compromise security. Together, these TPM-based protections provide an extra layer of security for BitLocker encryption.
Security Without TPM
On computers without a TPM chip, BitLocker can still encrypt drives but loses some security advantages:
- No hardware-based key storage – Encryption keys are stored on the drive instead of in hardware, making them potentially accessible if the drive is removed.
- No boot component validation – The computer boot process is not validated so changes could be made to compromise encryption.
- Additional authentication required – Since the TPM chip can’t store the key or validate the boot process, BitLocker requires a USB startup key or password for drive access. This still prevents casual access but is less secure.
So while BitLocker without TPM still provides strong encryption, it loses important additional protections. You need to consider this tradeoff when deciding whether to use BitLocker without TPM.
Enabling BitLocker Without TPM
If you understand the limitations but still wish to use BitLocker, follow these steps to enable it on a drive without TPM:
1. Ensure Your Version of Windows Supports BitLocker
BitLocker is only included in Windows 10 Pro, Enterprise, and Education editions. Home editions do not support it. To check, go to Settings > System > About. Under Windows specifications, it should list BitLocker if supported.
2. Open Local Group Policy Editor
Search for gpedit.msc and open the Local Group Policy Editor. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
3. Enable the Group Policy Setting
Find the setting named “Allow BitLocker without a compatible TPM”. Double click it, click Enabled, check the box to allow without TPM, and click OK to save the setting.
4. Turn On BitLocker
Go to Settings > System > About. Under Device encryption, click Encrypt this drive to launch the BitLocker setup wizard. Follow the prompts to enable encryption on your desired drive.
When prompted, be sure to save your recovery key in case you ever need to unlock the drive. You can also use a startup key on a USB drive instead of a recovery key if preferred.
Conclusion
Using BitLocker without a TPM chip trades some security for convenience. While data is still encrypted, additional hardware protections are lost. Carefully consider whether this tradeoff is appropriate for your device.
When configured properly, BitLocker without TPM can still encrypt drives to prevent casual data access. But for maximum security, use BitLocker with a TPM chip whenever possible.
References
[1] https://www.dell.com/support/kbdoc/en-us/000145450/how-to-turn-on-microsoft-bitlocker-drive-encryption-without-a-tpm-trusted-platform-module
[2] https://www.mcs.support/how-to-step-by-step-instructions-to-use-bitlocker-without-a-trusted-platform-module-tpm/
[3] https://toolbox.easeus.com/file-lock-tips/bitlocker-alternative.html
