FDE with BitLocker: specify startup key

by sampablokuper   Last Updated March 13, 2018 08:01 AM

On PCs without a compatible TPM, BitLocker allows the PC to instead be configured to require a "startup key" in order to decrypt the system drive during the boot process. (For background, see e.g. this and this.)

To perform that configuration, the "Allow BitLocker without a compatible TPM" option must first be turned on, under Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives -> Require additional authentication at startup. With that option turned on, then when the user encrypts her system drive with the BitLocker wizard, she can choose the "Insert a USB flash drive" answer to the dialogue box headed "Choose how to unlock your drive at startup." At that point, the wizard will normally generate a startup key, and will ask for a USB stick on which to write it.

My question is: when encrypting a drive with BitLocker, so as to require a startup key, can the user specify her own custom startup key (e.g. if she already has a startup key she wants to use), or must she accept the key generated by the BitLocker wizard?

If she must accept the key created by the BitLocker wizard, at least while the wizard is running, then as a workaround, can she later replace this with her preferred startup key? Via the BitLocker Manage Keys interface, perhaps?



Related Questions




Encryption on High Availability solution

Updated December 01, 2017 02:01 AM


Encrypt (disk level) on Database Server MS SQL 2008

Updated December 05, 2017 17:01 PM