PDA

View Full Version : Can a SD card be used in place of TPM for BitLocker on qualifying OS's?



capilta
11-28-2012,
I'm asking this question because one of my computers (Dell Optiplex 740) has a TPM, but my main desktop doesn't, and it would be costly to find/install a motherboard that does. Plus re-activation of my full licensed MS software would be needed, and the OEM install wouldn't qualify.



What I want to do is find a inexpensive alternative to secure my computer, and from what I'm reading, it looks like an SD card may be the answer, but I need to be certain.



If this is possible, do I have to do it the same way every time? For example, I have both a native SD card reader on my Dell XPS 8700, which I've never used, and also have a Transcend USB 3.0 card reader, which is what I use for all SD/SDHC tasks.



Also, can I use the same SD card on multiple computers & each will find the right code, as a 1 or 2GB SD card can hold many codes? Or do I need a separate for each?



In the past, have tried BitLocker with the password option, and after a couple of times it wouldn't open the Flash drive that was used to test the technology, nor would the printed code, a very long string one (almost like that used to phone activate Windows), nor would the one saved to what was SkyDrive at the time. Fortunately, had a backup of the Flash drive, and formatted and re-installed the data it contained. From what I've read, it looks like I skipped a step along the line, as with three options, it should have opened on the same computer it was encrypted on.



These are the instructions that I've found. In addition to what I've asked above about using an SD card, is this the proper way to setup BitLocker w/out a TPM? I didn't do all of this with the Flash drive, just the quick BitLocker setup.



http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/



I've relied on this site for several years & haven't had issues, but this is a much larger undertaking, the encryption of three SSD's, plus my installed Data drive & three external backup ones and I don't want to be locked out of my computer. Am on Linux Mint 17 at the moment, however my updated Speccy specs are in my sig. All is included except my backup drives, a 1TB WD Caviar Black & two 1TB Samsung HD103SJ drives.



The BitLocker function will be controlled by Windows 7 Ultimate, though there are two other Windows OS's on the PC, Windows 7 Pro & the OEM supplied Windows 8, and will be reinstalling Linux Mint 17 on it, as soon as I can find the proper place for it. May merge the Windows 7 Ultimate install beside of Windows 8, which is on the Crucial M550, and use the Intel 330 for Mint 17.



I just need a good idea of where to start, as I know that a password can be created in the UEFI to lock down the PC, but this doesn't encrypt drives, and would only serve to keep a casual thief out, this function is easily reset. Encryption is what I want, not a password that can be reset in less than 5 minutes. My health is poor and getting worse & I don't want anyone accessing my computers or backup drives for any reason. What's on them belongs to me & me only. I'm getting my ducks in a row, so to speak.



On both of my notebooks, there is SSD encryption function available (Samsung 840 EVO), but this has to be setup their way & Windows has to be clean installed afterwards, as I understand it. The restoration of a backup after SSD preparation won't do (I have no idea why), however these will be done last, but would like to be able to use the same SD card if possible. Windows 8.1 Pro is one OS installed on each of those.



All input & advise is highly appreciated. :)



Cat

Buddyme2
12-06-2012,
I don't know if you can use the same SD card. Maybe you can test this with 2 virtual machines that you encrypt with BL.

But in any case, make a full disk backup of your machine before you encrypt it.

Buddyme2
12-14-2012,
FYI: I'm trying this out on VMware workstation with WIndows 7 Ultimate.

It didn't work with a USB stick, maybe because the USB stick isn't connected when WIndows needs it.

So I tried with a virtual floppy disk. This works.



After encryption, the floppy disk contains a hidden, read-only system file with .BEK extension.

It's only 156 bytes.



So I assume this same floppy will also work for a second machine. I'll keep you posted.

Buddyme2
12-22-2012,
Update: I encrypted 2 VMs with Bitlocker, the key files (.BEK) were stored on the same floppy.