Enable BitLocker encryption, and Windows will automatically unlock your drive each time you start your computer using the TPM built into most modern computers. But you can set up any USB flash drive as a “startup key” that must be present at boot before your computer can decrypt its drive and start Windows.
This effectively adds two-factor authentication to BitLocker encryption. Whenever you start your computer, you’ll need to provide the USB key before it will be decrypted. This would be particularly useful with a small USB drive you carry with you on a keychain.
Step One: Enable BitLocker (If You Haven’t Already)
This, obviously, requires BitLocker drive encryption, which means it only works on Professional and Enterprise editions of Windows. Before you can follow any of the steps below, you’ll need to enable BitLocker encryption on your system drive from the Control Panel.
If you go out of your way to enable BitLocker on a PC without a TPM, you can choose to create a USB startup key as part of the setup process. This will be used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have.
If you have a Home version of Windows, you won’t be able to use BitLocker. You may have the Device Encryption feature instead, but this works differently from BitLocker and doesn’t allow you to provide a startup key.
Step Two: Enable the Startup Key in Group Policy Editor
Once you’ve enabled BitLocker, you’ll need to enable the startup key requirement in Windows’ group policy. To open the Group Policy Editor, press Windows+R on your keyboard, type “gpedit.msc” into the Run dialog, and press Enter.
Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.
Double-click the “Require Additional Authentication at startup” option in the right pane.
Select “Enabled” at the top of the window here. Then, click the box under “Configure TPM Startup Key” and select the “Require Startup Key With TPM” option. Click “OK” to save your changes.
Step Three: Configure a Startup Key for Your Drive
You can now use the
manage-bde command to configure a USB drive for your BitLocker-encrypted drive.
First, insert a USB drive into your computer. Note the drive letter of the USB drive–D: in the screenshot below. Windows will save a small .bek file to the drive, and that’s how it will become your startup key.
Next, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”
Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of
c: . You’ll also need to enter the drive letter of the connected USB drive you want to use as a startup key instead of
manage-bde -protectors -add c: -TPMAndStartupKey x:
The key will be saved to the USB drive as a hidden file with the .bek file extension. You can see it if you show hidden files.
You’ll be asked to insert the USB drive the next time you boot your computer. Be careful with the key–someone that copies the key from your USB drive can use that copy to unlock your BitLocker-encrypted drive.
To double-check whether the TPMAndStartupKey protector was added properly, you can run the following command:
(The “Numerical Password” key protector displayed here is your recovery key.)
How to Remove the Startup Key Requirement
If you change your mind and want to stop requiring the startup key later, you can undo this change. First, head back to the Group Policy editor and change the option back to “Allow Startup Key With TPM”. You can’t leave the option set to “Require Startup Key With TPM” or Windows won’t allow you to remove the startup key requirement from the drive.
Next, open a Command Prompt window as Administrator and run the following command (again, replacing
c: if you’re using a different drive):
manage-bde -protectors -add c: -TPM
This will replace the “TPMandStartupKey” requirement with a “TPM” requirement, deleting the PIN. Your BitLocker drive will automatically unlock via your computer’s TPM when you boot.
To check that this completed successfully, run the status command again:
manage-bde -status c:
Try rebooting your computer first. If everything works properly and your computer doesn’t require the USB drive to boot, you’re free to format the drive or just delete the BEK file. You can also just leave it on your drive–that file won’t actually do anything anymore.
If you lose the startup key or delete the .bek file from the drive, you’ll need to provide the BitLocker recovery code for your system drive. You should have saved somewhere safe when you enabled BitLocker for your system drive.
Image Credit: Tony Austin/Flickr