I stored my vital data on my USB flash drive, and encrypted with BitLocker. Now I prepare another USB flash drive for BitLocker load key from the USB drive, so that I can easily share the contents of the encrypted USB flash drive with others. What should I do? Expect your quick answer.
Right here to answer it for you. The BitLocker USB key, known as the USB startup key, is typically used for storing BitLocker key on a USB flash drive in the form of a file. As it is portable and convenient to access, this is actually a good choice.
When attempting to use a USB key to unlock a BitLocker-encrypted flash drive, you need to insert the USB drive that contains the secret key at the same time. Then the BitLocker recovery console will automatically read the key file to unlock BitLocker-encrypted drive.
Generally, the BitLocker startup key is used in conjunction with TPM, similar to a PIN code to protect BitLocker encrypted drive. However, if your computer’s BIOS or UEFI firmware is able to read from USB drive during the system booting process, then you can use the startup key without TPM, all you need to do is to click "Insert a USB flash drive" instead of "Enter a password" when you're prompted to "Choose how to unlock your drive at startup" in the BitLocker system drive encryption. However, it doesn't works on non-system drive.
Also, to use a USB drive for startup key storage, you must confirm its file system is in one of the following: NTFS, FAT, or FAT32.
Step 1 Do system check of TPM BitLocker protection mode and BIOS/UEFI firmware.
Step 2 Plug both the encrypted flash drive and the specific drive used to save startup key into one computer that supports BitLocker Drive Encryption.
Step 3 type "gpedit.msc" in the Windows search box, and press Enter to go into Local group policy Editor panel.
Step 4 Step by step choosing Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives.
Step 5 Double-click "Require Additional Authentication at startup".
Step 6 Click the radio button of Enabled. Find Configure TPM startup key option below, then select Require startup key with TPM in the dropdown menu. Then click "Apply" button to finish.
Step 7 Type "cmd" in the search box next to the Windows Start button, then press Ctrl + Shift + Enter to enter into the Command Prompt as Administrator. Enter and execute the following command to add the BitLocker startup key protector:
manage-bde -protectors -add f: -TPMAndStartupKey g:
# replace f and g with your own USB drive letter, the former is the encrypted drive letter
Then you can find a key file in g drive with the bek suffix. If not, set your file system to make hidden files visible.
Note that if someone obtains the copies of BitLocker key file stored on your flash drive, then he can gain the access to your encrypted data. Therefore, it’s important to keep it in a secure location.
Additionally, if you delete the key file accidentally or with BitLocker USB lost, you can recover BitLocker USB key using the recovery key, in the case you don't put them on the same flash drive.
PIN BitLocker in Windows 11 and BitLocker password are two totally different things, because their protection mechanism is not the same.
Lydia
TPM (Trusted Platform Module) is an important part of BitLocker encryption and one of the BitLocker password protection methods.
Lydia
Sure, Windows allows us to encrypt the operating system drive on devices without TPM supported.
Benjamin
Sure, I’m glad to answer your questions. Pre-boot authentication with BitLocker refers to the process of confirming your identity before entering the system.
Benjamin
