Change Bitlocker to use the TPM plus a USB key and a PIN
I have bitlocker running on Windows 7 (x86) on a Dell D630 laptop (it has a 1.2 TPM).
It is running in transparent mode.
I'd like to know how to configure it to use a PIN and a USB key as well, but I can't find anything that looks like it does this in the UI.
Does anyone know how to do this?
Do I have to remove bitlocker and re-enable it??
(This should be possible according to this - http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption)
Solution 1:
According to Matthias Hamann here:
To the great relief of any paranoid encryption junkie, Microsoft decided to add another mode, which requires TPM + PIN + USB Key to start up your computer. This feature was introduced with Service Pack 1 for Vista and makes it really hard for an attacker to get hold of your authentication details if you don’t write your PIN on your USB stick or get “questioned” by someone with a blow torch and a pair of pliers.
So how does it work? Well, although there is no GUI option for this new mode, it’s surprisingly simple to activate:
- Click on the Vista logo / start button.
- Type cmd in the search box and do NOT hit enter.
- Right-click on the command prompt item (cmd.exe) and select “Run as administrator” from the context menu.
- Enter
cscript manage-bde.wsf -on c: -rp -rk d: -tpsk -tp 1234567 -tsk e:
and hit enter. (“c:” is the drive which you want to encrypt / your OS volume; “d:” is the drive where the recovery key will be stored at; “1234567” is your secret PIN, which can consist of up to 20 digits; “e:” is your USB key.)- Write down the recovery password and hide it at a SAFE location (e.g., under your keyboard ).
- Type exit and hit enter.
- DONE!