I ventured into the Bitlocker world today for a desktop I recently built, and I'm
beginning to regret that decision. It seems to be fret with issues. I have read some
of the tutorials here, but they seem not to apply to my particular situation. Let me
explain my scenario and I'll then ask my questions.
My environment:
1) Hardware: Intel COREi5 Desktop with 8gig of Ram, SATA II hard drives,
1 SATA III hard drive, USB2.0 & USB 3.0 ports Dual UEFI & traditional BIOS.
2) TPM ver. 1.2 TPM Installed (Infineon modules to control operation)
3) OS Windows 7 64 bit with Serv. Pack 1 and latest updates installed.
The Scenario:
The TPM was properly initialized and "owned." The BIOS reflects that it is now enabled and active.
I entered the Bitlocker encryption panel and turned it on for the OS volume (drive C
. It encrypted
just fine and rebooted.
I then went about the business of setting up keys and having it placed on a USB 2.0 flash drive that
is also connected so that the system will boot and use the TPMandStatupKey. I used the manage-bde
utility. This utility failed because the "Group Policy" options had not yet been set for Bitlocker.
So I went back and set them up (i.e. disabled/unchecked the "Allow Bitlocker without a compatible TPM,"
I enabled "Require Additional authentication at startup," and "Require startup Key with TPM"). All
other options were "Do not allow."
I then re-used "manage-bde" command. I attempted to use the "-TPMandPINandStartupKey" option and save
the result to my USB flash drive. But I kept getting errors that I "couldn't reference two file systems."
I then settled upon the "TPMandStartupKey" option and to save the results to the USB flash drive. The command
indicated "success" but I never saw the resultant file on my USB flash drive. It was either "hidden" or
it never made it there.
I then rebooted, and tested the reboot by taking out the USB flash drive. It correctly indicated that there
was no Startup key file found. I then inserted the USB flash drive and pressed "Esc" as indicated to reboot.
The system rebooted but indicated that there was a "difference" between the file discovered and the original
time Bitlocker was initialized. It then required the recovery key. I entered this key and the system booted
successfully.
Issues -
1) Recovery Key - Nothing other than the use of the recovery key at boot time seems to permit the system
to boot. I had thought it would be a bit more seemless in that if I had the Startup Key on the flash
drive, the system would boot on it's own. Not the case. I don't want to have to enter the recovery
key all the time, now.
2) USB Drive - How can I verify that the Startup key file successfully made it to the USB flash drive? I don't
see it on there. Is it hidden or did it just not get put there? Where would it be, otherwise?
3) Documentation - Can anyone point me to the best documentation available on the net in re: Bitlocker and
some greater detail in how things like the "manage-bde" commands work? The help "-?" commands don't seem
to help a lot in re: interpreting the errors I get or how to implement the commands correctly.
All productive advice is greatly appreciated. Thanks much.
beginning to regret that decision. It seems to be fret with issues. I have read some
of the tutorials here, but they seem not to apply to my particular situation. Let me
explain my scenario and I'll then ask my questions.
My environment:
1) Hardware: Intel COREi5 Desktop with 8gig of Ram, SATA II hard drives,
1 SATA III hard drive, USB2.0 & USB 3.0 ports Dual UEFI & traditional BIOS.
2) TPM ver. 1.2 TPM Installed (Infineon modules to control operation)
3) OS Windows 7 64 bit with Serv. Pack 1 and latest updates installed.
The Scenario:
The TPM was properly initialized and "owned." The BIOS reflects that it is now enabled and active.
I entered the Bitlocker encryption panel and turned it on for the OS volume (drive C
. It encryptedjust fine and rebooted.
I then went about the business of setting up keys and having it placed on a USB 2.0 flash drive that
is also connected so that the system will boot and use the TPMandStatupKey. I used the manage-bde
utility. This utility failed because the "Group Policy" options had not yet been set for Bitlocker.
So I went back and set them up (i.e. disabled/unchecked the "Allow Bitlocker without a compatible TPM,"
I enabled "Require Additional authentication at startup," and "Require startup Key with TPM"). All
other options were "Do not allow."
I then re-used "manage-bde" command. I attempted to use the "-TPMandPINandStartupKey" option and save
the result to my USB flash drive. But I kept getting errors that I "couldn't reference two file systems."
I then settled upon the "TPMandStartupKey" option and to save the results to the USB flash drive. The command
indicated "success" but I never saw the resultant file on my USB flash drive. It was either "hidden" or
it never made it there.
I then rebooted, and tested the reboot by taking out the USB flash drive. It correctly indicated that there
was no Startup key file found. I then inserted the USB flash drive and pressed "Esc" as indicated to reboot.
The system rebooted but indicated that there was a "difference" between the file discovered and the original
time Bitlocker was initialized. It then required the recovery key. I entered this key and the system booted
successfully.
Issues -
1) Recovery Key - Nothing other than the use of the recovery key at boot time seems to permit the system
to boot. I had thought it would be a bit more seemless in that if I had the Startup Key on the flash
drive, the system would boot on it's own. Not the case. I don't want to have to enter the recovery
key all the time, now.
2) USB Drive - How can I verify that the Startup key file successfully made it to the USB flash drive? I don't
see it on there. Is it hidden or did it just not get put there? Where would it be, otherwise?
3) Documentation - Can anyone point me to the best documentation available on the net in re: Bitlocker and
some greater detail in how things like the "manage-bde" commands work? The help "-?" commands don't seem
to help a lot in re: interpreting the errors I get or how to implement the commands correctly.
All productive advice is greatly appreciated. Thanks much.
My Computer
- OS
- Win 7 64bit ultimate
