Remote Boot Bitlocker without a TPM

One of the challenges of implementing full-disk encryption is how to provide the key to unlock the drive when the system boots. This is especially important with servers, which may be at a remote location.

Microsoft’s Bitlocker can use a Trusted Platform Module (TPM) on the motherboard to provide a unified start-up experience, even unlocking system drives before a user logs on. But what if your machine does not have a TPM? How do you configure Bitlocker, and how do you boot the machine if you are not at the server location? I found that a Dell Remote Access Controller (DRAC) is all that is needed.

Allow BitLocker without a Compatible TPM

Scenario 5 of this Technet article has instructions for enabling Bitlocker without a TPM, but they are incorrect at a crucial point. In Windows Server 2008 R2, you will find the setting in Local Group Policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drive > Require additional authentication at startup. Enable this policy, and you will be able to check the box Allow BitLocker without a compatible TPM. (Note:  for Server 2008 R2, set the policy for the “Windows 7 family”, not the one for “Windows Server 2008 and Windows Vista”.)

Bitlocker Group Policy 1

Bitlocker Group Policy 2

Once that Group Policy setting is made, you can go to Control Panel to turn on Bitlocker on the system drive. You’ll need to save the startup key to a USB flash drive. Be sure to save and print out the recovery key as well.

Boot without a USB Flash Drive

If you know you are going to need to reboot a remote server for system maintenance, you can temporarily disable Bitlocker as described near the bottom of this article. But what if you don’t do that? What happens if you boot with Bitlocker enabled but without the USB flash drive containing the startup key? You’ll see a screen like this:

Bitlocker 1

So how do we use the DRAC to get into the system? My first attempt was to use the DRAC media redirection to plug the USB flash drive into my local machine. But for some reason the machine didn’t see the flash drive:

Bitlocker 2

However I was able to access the console. When I pressed Enter, this screen appeared:

Bitlocker 3

Once I typed in the 48-digit recovery key (not much harder than typing in a product key), Windows started:

Bitlocker 4

Conclusion

Some consider Bitlocker without a TPM to be more secure because it requires an external USB flash drive to boot. Even if you have a TPM, you may want to configure Bitlocker to additionally require a PIN (two-factor authentication). Either way, an out-of-band remote access card like the Dell DRAC solves the problem of not being physically present when booting the machine.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.