BitLocker without a TPM?

dhood82 · 12 Oct 2011

Where I work, we have 4 Lenovo X100e Mini laptops and we installed our copy of Windows 7 Enterprise 64bit. To my knowledge there has to be a TPM to use BitLocker with certain versions of Windows 7 in order for the key to be stored in Active Directory, like the rest of our regular laptops are.
My question is, can I enable and use Bitlocker in any way and still have the key stored in AD without a TPM? The laptops did not come with a TPM so is there an add-on?(I know it is a long shot for this question)
Also, what other good encryption software is out there that does not require a USB Flash Drive or security password to gain access to the hard drive?

Corazon · 12 Oct 2011

I can't answer your questions about Bitlocker, but TrueCrypt is excellent, free, and fulfills your requirements.
TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux

karlsnooks · 12 Oct 2011

dhood82 said:

Where I work, we have 4 Lenovo X100e Mini laptops and we installed our copy of Windows 7 Enterprise 64bit. To my knowledge there has to be a TPM to use BitLocker with certain versions of Windows 7 in order for the key to be stored in Active Directory, like the rest of our regular laptops are.
My question is, can I enable and use Bitlocker in any way and still have the key stored in AD without a TPM? The laptops did not come with a TPM so is there an add-on?(I know it is a long shot for this question)
Also, what other good encryption software is out there that does not require a USB Flash Drive or security password to gain access to the hard drive?

If I remember correctly, yes you can now run bitlocker without the tpm module.

Why don't you just try it?

severedsolo · 12 Oct 2011

Here's a tutorial for removing the TPM requirement

BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM

**cluberti** · 13 Oct 2011

Bitlocker keys are stored in AD (when AD and policy are configured to store them) regardless of the presence of a TPM in the machine. However, the user will need a USB key every time they boot the machine, plus the data stored on that key is pretty easily compromised if the device is lost. Bitlocker is great, but you really do have to have a TPM for it to be a *very* secure solution.

TrueCrypt is also good and has interesting features (more than bitlocker, for sure), but it's not an enterprise-grade solution - good for home or SOHO use, for sure, but not ready for enterprise use. It has a lack of a central management console, inability to store escrow information in any directory-based solution, does not support use on a TPM (and the argument used to justify the lack of such protection is silly), must be decrypted during any external upgrade, and is severely limited when a user does not have administrative access (whereas Bitlocker+MBAM means a regular user can do all the things a TrueCrypt user cannot).

Again, TrueCrypt has better features overall, but for the features you need in a corporate/enterprise setting (TPM support, escrow/recovery, access from WinPE for OS repair or upgrades without decrypting a volume, Group Policy management, product support from the vendor, usability by non-administrators without administrator intervention, and a centralized administrative/monitoring console), TrueCrypt shows it's immaturity.