Enabling Vista Bitlocker (without a TPM chip)

For those with laptops, an attractive feature of Vista Ultimate/Enterprise edition (but oddly not the Business edition..) is the new Bitlocker system. This takes the basic encryption (EFS - Encrypted File System) in XP to another level entirely, making is possible to completely encrypt and secure the whole boot partition, rendering the data inaccessible to would-be thieves and nosey friends/relatives alike.

Unfortunately, due to some badly worded requirements before Vista's release, and slightly confusing dialogue boxes in the new OS, many people are under the impression that Vista requires a motherboard with a TPM (Trusted Platform Module) chip installed before they can enable and utilise Bitlocker - this is in fact not true. You CAN use Bitlocker without a new motherboard, it just takes a little digging - hence today's little article on enabling Bitlocker (without a TPM chip).

Before attempting anything in this article, you'll need the following things:

1. Either Vista Ultimate or the Enterprise Edition
2. A USB Flash drive to store your 'hardware encryption token'
3. Your Vista system drive needs to be a 'simple' volume (you can't use Bitlocker in conjunction with Vista's software RAID striping/spanning features - but a hardware RAID is fine, as this isn't visible at the OS layer).
4. At least several gigabytes free on your system partition.
5. A full working backup of your system. As with anything, a backup is always desirable, just in case you do something you'll regret later!
6. The Bitlocker Drive Preparation Tool - a free utility from Microsoft that you should already have if you've allowed Vista to download all the 'Ultimate Extras' that are available:

Navigate to Control Panel > Security and click "Protect your computer by encrypting data on your hard disk":

By default you'll get this message:

Helpful! But as already mentioned, it's perfectly possible to use Bitlocker without a TPM chip, you just need to poke Vista in the right place.

On the Start menu, click on the search box, and type "gpedit.msc". Once the Group Policy Editor has loaded, navigate to "Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption". With the "Bitlocker Drive Encryption" folder highlighted, on the right-hand side you should see "Control Panel Setup: Enable advanced startup options" - double-click it:

Choose "Enabled", and make sure the top option "Allow Bitlocker without a compatible TPM" is ticked, as below:

Click Apply/OK and close the Group Policy Editor. Now navigate to Control Panel > Security and click the "Protect your computer by encrypting data on your hard disk" option again, this time the "A TPM was not found" error should be missing, allowing you to continue:

Now type "Bitlocker" in the search box on the Start menu, and open the "Bitlocker Drive Preparation Tool":

If you don't have this program, go to Control Panel > Windows Update and make sure your system has downloaded the latest Ultimate Extras.

Once open, click "Continue", the program will now start resizing your system partition ready for Bitlocker to create a new 1.5GB partition - this might take a while on a highly fragmented drive, or one with little free space:

On a fairly fresh installation, this should happen quite quickly. Once the process is complete, restart your system as instructed.

After the restart, you can go to Control Panel > Security and click the "Protect your computer by encrypting data on your hard disk" - the Bitlocker option will now be available. Click the "Turn on Bitlocker" link:

You should now be prompted to insert a flash drive to store your startup key on (also known as your "hardware encryption token"):

Once you've done that, you should be prompted to save the recovery password (either by printing it, or by saving it to the flash drive or another location). At the very least you must store the password on the flash drive, this is to allow Vista to check it can access the drive correctly later.

*Note* Take great care to ensure you have more than one copy of this recovery password, and in more than one location. If you lose the flash drive with your hardware encryption token on, this is your only alternate way of accessing the encrypted data. If you lose both - you have no way of recovering the data (XP users who've used Linux distributions, or software like 'AdminAllow' in the past to recover encrypted data will find that it isn't that easy anymore!).

Once you're happy that the recovery password is suitably backed up, click "Next". On the final screen, ensure the "Run Bitlocker System Check" option is ticked, then click "Continue":

Once the check is complete, the system will restart one last time (to ensure it can read the flash drive on startup), and then begin the process of encrypting your system drive. Thankfully you can leave this running in the background while you do other things (which is lucky, as this process can take several hours to finish!).

And there you have it, Bitlocker is enabled and running, and your private data should be much more secure as a result. Just be careful not to loose both your flash drive and the recovery password!