BitLocker是(BitLocker)Windows中包含的一种加密工具(encryption tool),可用于保护任何驱动器上的数据。虽然默认情况下,BitLocker要求您的计算机中存在TPM 芯片(TPM chip)才能加密系统驱动器(system drive),但您仍然可以在没有它的情况下使用它。但是,为此,您需要明确设置Windows以允许没有TPM的(TPM)BitLocker。在本文中,我们将向您解释什么是TPM 、 BitLocker为什么需要TPM以及如何绕过此要求。所以,如果你想使用BitLocker而不TPM,请继续阅读:
注意:(NOTE:)本指南适用于Windows 11 和Windows 10。但是请注意,BitLocker是仅在Windows专业版(Pro)和更高版本中提供的功能。如果您有Windows家庭版(Home edition),则无法使用它。如果您需要帮助识别您的Windows 版本(Windows edition),请阅读本教程:如何分辨我拥有的Windows(11 种方式)。
为什么BitLocker需要TPM以及什么是TPM?
要了解BitLocker为何需要TPM 芯片(TPM chip)才能按预期运行,以及如何绕过此要求,您必须首先了解 BitLocker 是什么(know what BitLocker is)。答案相对简单:BitLocker 是 Windows 操作系统中的一种加密功能,可让您加密整个驱动器(BitLocker is an encryption feature found in Windows operating system that allows you to encrypt entire drives)(如果您愿意,可以加密分区或卷)。默认情况下,它使用称为 AES 的加密算法(encryption algorithm called AES),并且要求计算机主板上存在TPM 芯片。(TPM chip)
我们需要回答的下一个问题是“什么是 TPM?” (“What’s TPM?”). TPM(或可信平台模块)是一种可以生成安全且唯一的加密密钥的芯片。(TPM (or Trusted Platform Module) is a chip that can generate secure and unique cryptographic keys.)这些密钥也是加密的,它们存储在芯片本身上。此外,密钥只能由最初生成它们的芯片解密。
安装在主板上的可信平台模块(Platform Module)
那么为什么BitLocker需要TPM呢?当您在Windows中使用BitLocker加密(BitLocker)系统驱动器(system drive)时,它会使用您 PC 上的TPM 芯片(TPM chip)来创建和保存加密密钥。然后,您的 PC 使用这些密钥进行身份验证并允许您访问加密的驱动器。如果在您的 PC 上找不到用于生成密钥的原始 TPM 芯片,则无法访问加密的驱动器。(If the original TPM chip used to generate the keys is not found on your PC, the encrypted drives are not accessible.)简单来说,一旦您使用BitLocker和TPM 芯片加密(TPM chip)系统驱动器(system drive),没有人可以拿走您的加密驱动器,将其放入另一台计算机,并访问存储在其中的数据。
如今出售的大多数计算机和笔记本电脑都内置了TPM 芯片(TPM chip),因为Windows 11需要它们的存在。即使您的Windows PC或笔记本电脑没有TPM 芯片(TPM chip),您也可以从电子商店单独购买一个。但是,如果您的计算机主板不(motherboard doesn)支持TPM 芯片(TPM chip)并且您无法安装一个(mount one),那么还有一个最后的选择(resort option):使用不带TPM的(TPM)BitLocker。虽然它不如使用带有TPM的(TPM)BitLocker安全,但它无疑更便宜,而且仍然比完全不加密要好。这是如何做:
如果您尝试使用不带TPM的(TPM)BitLocker会发生什么(提示:BitLocker TPM 错误(BitLocker TPM error))
如果您尝试从没有TPM 芯片(TPM chip)的 PC在系统驱动器上启用(system drive)BitLocker,您将收到错误消息:“此设备无法使用受信任的平台模块。”(“This device can’t use a Trusted Platform Module.”)
此设备无法使用可信平台模块(Platform Module)
但是,它也为您指明了正确的方向(direction afterward):“您的管理员必须在操作系统卷的‘启动时需要额外身份验证’策略中设置‘允许 BitLocker 没有兼容的 TPM’选项。” (“Your administrator must set the ‘Allow BitLocker without a compatible TPM’ option in the ‘Require additional authentication at startup’ policy for OS volumes.”)这就是我们将在本教程的下一章中向您展示的内容:使用本地组策略编辑器(Local Group Policy Editor)打开允许在没有TPM的情况下使用(TPM)BitLocker的策略。
如何在没有 TPM 的情况下使用 BitLocker
即使没有TPM 芯片(TPM chip),您也可以使用BitLocker加密系统驱动器(system drive)。但是,要使其正常工作,您需要使用本地组策略编辑器工具编辑(Local Group Policy Editor tool)Windows 策略(Windows policy)。打开它的最快方法之一是搜索gpedit并单击或点击“编辑组策略”(“Edit group policy”)结果。
(Search)在Windows 11中搜索本地组策略编辑器(Local Group Policy Editor)
在本地组策略编辑器(Local Group Policy Editor)中,打开左侧的计算机配置(Computer Configuration)文件夹并导航(left and navigate)到“Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.”
浏览本地组策略编辑器(Local Group Policy Editor)
接下来,在右侧面板中,搜索名为“启动时需要额外身份验证”的设置。(“Require additional authentication at startup.”)双击或双击其名称即可打开它。
(Open Require)在本地组策略编辑器中(Local Group Policy Editor)打开启动时需要额外的身份验证
这将打开一个显示策略属性的新窗口。在其中,将策略的状态设置为已启用(Enabled),然后打开名为“在没有兼容 TPM 的情况下允许 BitLocker”的设置。(“Allow BitLocker without a compatible TPM.”)然后,按OK保存更改。
(Set Allow BitLocker)在没有兼容的 TPM 的情况下设置允许 BitLocker
关闭本地组策略编辑器,(Local Group Policy Editor,)您可以开始使用不带TPM的(TPM)BitLocker来加密您的系统驱动器(system drive)。从现在开始,您将不再收到“此设备无法使用受信任的平台模块”的BitLocker错误(“This device can’t use a Trusted Platform Module.”)。(BitLocker error)
注意:(NOTE: )稍后,如果您想将其设置回原来的样子,请按照相同的步骤并将“启动时需要额外的身份验证”(“Require additional authentication at startup”)设置为Not Configured。
您(Did)是否设法在没有兼容 TPM 的情况下允许BitLocker ?
从本教程中可以看出,设置BitLocker 和 Windows(BitLocker and Windows)以允许您在没有TPM 芯片的情况下加密(TPM chip)系统驱动器(system drive)并不难。如果您按照我们描述的步骤进行操作,您应该没有任何问题。请在下方留言告诉我们您的经验,以允许在没有兼容TPM的情况下使用(TPM)BitLocker。
How to allow BitLocker without a compatible TPM chip on Windows
BitLocker is an encryption tool included in Wіndows that you can use to secure yоur data on аny drive. Although by default, BitLoсker requires the presence of a ΤPM chip in your computer tо bе able to encrypt the syѕtem drive, you can still use it without one. However, for that, you need to explіcitly set Windows to allow BitLocker without TPM. In this article, we’ll explain to you what TPM is, why BitLocker requires ΤPM, and also how tо bypass this requirement. So, if you want to use BitLoсker without TPM, read on:
NOTE: This guide applies to Windows 11 and Windows 10. However, note that BitLocker is a feature present only in the Pro and higher editions of Windows. If you have a Home edition of Windows, you can’t use it. If you need help identifying your Windows edition, read this tutorial: How to tell what Windows I have (11 ways).
Why does BitLocker require TPM & What’s TPM?
To understand why BitLocker requires a TPM chip to function as intended, but also how you can bypass this requirement, you must first know what BitLocker is. The answer is relatively simple: BitLocker is an encryption feature found in Windows operating system that allows you to encrypt entire drives (partitions or volumes if you prefer). By default, it uses an encryption algorithm called AES and requires the presence of a TPM chip on your computer’s motherboard.
The next question we need to answer is “What’s TPM?”. TPM (or Trusted Platform Module) is a chip that can generate secure and unique cryptographic keys. These keys are encrypted too, and they’re stored on the chip itself. Furthermore, the cipher keys can be decrypted only by the chip that generated them in the first place.
Trusted Platform Module installed on a motherboard
So why does BitLocker need TPM? When you encrypt a system drive in Windows using BitLocker, it uses the TPM chip on your PC to create and save the encryption keys. Your PC then uses those keys to authenticate and allow you access to the encrypted drives. If the original TPM chip used to generate the keys is not found on your PC, the encrypted drives are not accessible. In simpler words, once you encrypt a system drive with BitLocker and a TPM chip, nobody can take your encrypted drive, put it in another computer, and access the data stored on it.
Most computers and laptops sold these days have built-in TPM chips, as Windows 11 requires their presence. Even if your Windows PC or laptop doesn’t have a TPM chip, you can buy one separately from electronics stores. But, if your computer’s motherboard doesn’t support a TPM chip and you can’t mount one, there’s still a last resort option: use BitLocker without TPM. Although it’s less secure than using BitLocker with TPM, it’s undoubtedly cheaper and still better than no encryption at all. Here’s how:
What happens if you try using BitLocker without TPM (hint: BitLocker TPM error)
If you try to enable BitLocker on a system drive from a PC without a TPM chip, you’ll get an error: “This device can’t use a Trusted Platform Module.”
This device can’t use a Trusted Platform Module
But, it also points you in the right direction afterward: “Your administrator must set the ‘Allow BitLocker without a compatible TPM’ option in the ‘Require additional authentication at startup’ policy for OS volumes.” That’s what we’re going to show you how to do in the next chapter of this tutorial: use the Local Group Policy Editor to turn on the policy that allows the use of BitLocker without TPM.
How to use BitLocker without TPM
You can use BitLocker to encrypt your system drive even without a TPM chip. However, for this to work, you need to edit a Windows policy using the Local Group Policy Editor tool. One of the fastest ways to open it is to search for gpedit and click or tap on the “Edit group policy” result.
Search for Local Group Policy Editor in Windows 11
In the Local Group Policy Editor, open the Computer Configuration folder on the left and navigate to “Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.”
Navigating through the Local Group Policy Editor
Next, in the right panel, search for the setting named “Require additional authentication at startup.” Open it with a double-click or double-tap on its name.
Open Require additional authentication at startup in Local Group Policy Editor
This opens a new window showing the properties of the policy. In it, set the policy’s state to Enabled and turn on the setting called “Allow BitLocker without a compatible TPM.” Then, press OK to save your changes.
Set Allow BitLocker without a compatible TPM
Close the Local Group Policy Editor, and you can start using BitLocker without TPM for encrypting your system drive. From now on, you’ll no longer get the BitLocker error saying that “This device can’t use a Trusted Platform Module.”
NOTE: Later on, if you want to set things back to the way they were, follow the same steps and set “Require additional authentication at startup” to Not Configured.
Did you manage to allow BitLocker without a compatible TPM?
As you can see from this tutorial, it’s not hard to set BitLocker and Windows to allow you to encrypt the system drive even without a TPM chip. If you follow the steps we described, you should have no trouble at all. Leave us a comment below with your experience to allow BitLocker without a compatible TPM.