none
Bitlocker with USB to TPM RRS feed

  • Question

  • I have a 2008 R2 server with Bitlocker running using a a USB drive as the startup key since the server does not have TPM installed. I now have the TPM installed but what I cannot figure out is whether I need to decrypt everything first then re-encrypt using the TPM or if there is a way to move to the TPM as it is now.

    Is there a way to move to the TPM as is or must I undo it all and start over?

     

    Thanks for any advice.


    Thursday, July 21, 2011 7:13 PM

Answers

  • You can add the TPM as an additional protector to the drive using the "manage-bde -protectors -add" command and select from the folowing options

    -TPMAndPIN or -tp
     Adds a TPM And PIN protector for the OS volume.

    -TPMAndStartupKey or -tsk
     Adds a TPM And Startup Key protector for the OS volume.

    -TPMAndPINAndStartupKey or -tpsk
     Adds a TPM And PIN And Startup Key protector for the OS volume.

    -tpm                                              
     Adds a TPM protector for the OS volume.

     

    After verifying the new protector works you can just remove the old one

    /Hasain

     

    Thursday, July 21, 2011 7:48 PM

All replies

  • You can add the TPM as an additional protector to the drive using the "manage-bde -protectors -add" command and select from the folowing options

    -TPMAndPIN or -tp
     Adds a TPM And PIN protector for the OS volume.

    -TPMAndStartupKey or -tsk
     Adds a TPM And Startup Key protector for the OS volume.

    -TPMAndPINAndStartupKey or -tpsk
     Adds a TPM And PIN And Startup Key protector for the OS volume.

    -tpm                                              
     Adds a TPM protector for the OS volume.

     

    After verifying the new protector works you can just remove the old one

    /Hasain

     

    Thursday, July 21, 2011 7:48 PM
  • Thank you very much Hasain. That worked perfectly.
    Thursday, July 21, 2011 10:27 PM