By default, BitLocker stores encryption data on a Trusted Module Platform (TPM) chip. Should you attempt to enable BitLocker on a computer that doesn’t have a TPM chip – and many do not – Windows will promptly inform you, “A TPM was not found. A TPM is required to turn on BitLocker." You cannot at this point in time add TPM capabilities to your computer – it either comes with a TMP chip or it doesn’t. Does this mean that you cannot use BitLocker unless you upgrade to a TPM-equipped computer? Thankfully, no. BitLocker can be configured to save its Startup Key to a USB drive (note: to be able to use this option, your computer must be able to boot from a USB drive – more on this later in the article). To configure BitLocker to use a USB drive, log on as administrator and then:
- Open the Local Group Policy Editor. To do this, click Start, type gpedit.msc into the Start Search box and hit Enter.
- Click Administrative Templates in the left-hand pane.
- Double-click Windows Components in the right-hand pane.
- Double-click BitLocker Drive Encryption in the right-hand pane.
- Double-click Control Panel Setup: Enable Advanced Startup Options in the right-hand pane.
- In the Control Panel Setup: Enable Advanced Startup Options dialog box, check Enabled, check Allow BitLocker without a compatible TPM and click OK and close the Local Group Policy Editor.[See Image 1]
- To apply the new policy, click Start, type gpupdate.exe /force into the Start Search box and hit Enter.
Once you have completed these steps, you can use the Setup Wizard to enable BitLocker in the normal manner (see Vista’s Help files for more information) and you will automatically be prompted to select your USB drive as the location to which BitLocker’s encryption data will be saved. The Setup Wizard will also provide you with an option to Run BitLocker System Check and you should certainly elect to do so. The system check will confirm that your drive has been correctly configured and that your computer can boot from the USB drive before the encryption process begins. Remember, there is no backdoor to BitLocker and, once your data has been encrypted, the only way that you’ll be able to access it is with either the USB drive on which the Startup Key has been saved or with the recovery password that is created during the setup process.
When BitLocker has been enabled, you’ll need to insert the USB drive each time you want to boot the computer, so be sure to keep it close at hand. But don’t keep it with your computer or in the computer case!