Windows Bitlocker is a fantastic tool – allowing you to fully encrypt your data directly on the hard disk level, giving you an extra layer of privacy that you demand. However, Bitlocker has its limitations – more like security features that prove to be a limitation for some. There is a security chip called Trusted Platform Module – or in short “TPM” – that is supposed to store the encryption key for your encrypted hard disk.
When you encrypt something, on the basic level it is comparable to putting something in a locker – so the name bitlocker actually does make sense. Any encrypted data has a key known as its “encryption key” – whoever has this key is able to decrypt the data. Now obviously, this means the key needs to be stored somewhere safe – that is what the TPM chip is for.
Now the problem comes here – some older hard disks or even some newer ones don’t have this TPM chip, either because the hard disks were too old to consider it or the manufacturer was trying to keep the manufacturing costs low and thus skipped on an optional feature. There is however a way to get around this requirement of a TPM and chip and encrypt your drive anyway. And it’s not that hard to do, so let’s get straight to it:
- Open your Start Menu and type “gpedit.msc”, then click the top result. This will open the Group Policy Editor.
- Under “Local Computer Policy”, follow this path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- Now locate “Require additional authentication at startup” and right click it, then click Edit.
- On this window, click Enabled and under Options check the box that says “Allow BitLocker without a compatible TPM”.
- Now click OK, and close the Local Policy Editor.
- Now open the BitLocker setup once again on the drive you want to encrypt, it should ask you to go through a restart to prepare the disk.
- Once you have restarted, it will ask you to set up a Startup key for every time you start your PC – this is the key that was supposed to be saved on the TPM chip but since we have bypassed that, you will need to save this on a USB flash drive. That’s your key now.
Now you can encrypt your hard disk even though it doesn’t have a TPM chip – and store the key for encryption in a handy USB flash drive that you can unplug from your PC to deny access to the drive. Exactly works like a physical key at this point.
This is the beauty of Windows – the reason Windows is so complex is because of how many options it features. It’s easy to make a feature – it’s harder to make a feature that can be tweaked in every way possible.