Blog about software development


Why I use Bitlocker without TPM

04 Apr 2021 - by 'Maurits van der Schee'

Bitlocker is the Full Disk Encryption (FDE) solution in Windows, similar to FileVault in OSX and LUKS in Linux. I do advocate the use of full disk encryption on any device, but especially on devices that are prone to theft, such as laptops. In my threat model I'm using full disk encryption (solely) to prevent data theft in case of hardware theft. The power of full disk encryption lies in that it is easy to understand and reason about. Unfortunately this cannot be said about the Windows 10 (professional only) solution, unless you do what I did, as explained in this post.

How "Full Disk Encryption" works

You turn on the computer and it boots from a small (hidden) unencrypted partition of your disk: the boot partition. Before the computer starts and the rest of disk is accessed you need to enter a passphrase. Using the key stretching this password is transformed into a encryption key that is stored in the computer's memory. They encryption key is a symmetric encryption algorithm (typically AES), so the same key is used for encryption and decryption. After this step every block that is read from disk is decrypted in memory before the read operation returns and every block that is written to disk is encrypted before it is actually written to disk.

About the "Trusted Platform Module"

Some computers have a "Trusted Platform Module" (TPM) that acts as a secure key-store. One of the tasks the TPM has is to "Generate, store, and limit the use of cryptographic keys". The TPM measures "the boot code that is loaded" and ensures that "a TPM-based key was used only when the correct software was used to boot the system". This means that the TPM will release the FDE key without a password provided when it decides that the boot process was not tempered with. In my opinion it is hard to understand exactly how that works and this makes it hard to reason about. Saying that a TPM provides a "false sense of security" (as VeraCrypt's author does) may be too strong, but I would not use it. Fortunately, you can disallow usage of the TPM and allow usage of Bitlocker without a TPM.

Configure Bitlocker without TPM

These are the instructions (source):

There is no need to reboot, as your change is immediately effective.

USB Startup Key with ESP

The encryption key may also be stored on a USB stick. This is particularly convenient if you are sharing multiple computers with multiple users, as you can create a USB stick with keys from various computers and the computer will automatically choose the correct one. The USB sticks may be seen as "something you have" and play that role in your Two Factor Authentication (2FA) scheme. In order to prevent the USB stick to "automount" (pop-up as a newly connected drive) you can format the USB stick using a GUID partition table (GPT) and create only one partition: an EFI (Extensible Firmware Interface) System Partition or "ESP". This partition should either be formatted as FAT16 or FAT32 and normally holds files required to boot your system. We will use the ESP to store Bitlocker Encryption Key (BEK) files. The boot process scans all USB connected FAT partitions (including the ESP) for the correct key.

Managing keys

After encrypting the drives of all machines I end up with a set of USB Startup keys containing BEK files. The BEK file is hidden on Windows as it is stored with a "system" attribute, but you can easily copy it to a Linux computer. I have created a (Linux) bash script to format a blank USB drive as GPT/ESP and copy all collected keys. You can find that script on my GitHub repository, see:


Have fun!


PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.