Now that you have increased the security of your machine by enabling BitLocker with a TPM, Start-Up KEY and PIN using strong AES256 bit encryption lets give some thought to increasing the security of the key material.

Your start-up and recovery keys are plain text files containing the key material. The recovery key should never be kept with the machine as this will bypass the PIN requirement. You Start-Up key is slightly less sensitive as an attacker will still need your PIN to access the machine. If an attacker has access to your start-up key either because it is left lying around or its just a stick that is used for other things and it has been copied whilst performing another action your security is reduced. The attacker only needs to shoulder surf to see your password or obtain it through a key logger and you loose.


If you have enabled FIPS 140 compliance you will not have been able to print out a recovery key so the recovery key will be stored on a USB stick.


A good option would be to save your Bitlocker Start-Up and Recovery Keys to encrypted USB sticks. However. Most USB sticls will not work with Pre Boot Authentication as they must be unlocked from within Windows using an application that Auto-Runs when you insert it.


An encrypted USB stick from iStorage is different. The datAshur sticks have a small number pad integrated into the device and to unlock and access the data you enter a PIN between 7 and 14 digits long. Once the PIN has been entered the device can be inserted into your computer and it will be read without the need for an Auto-Run application.


The best way to do this is to purchase two drives and use one for the Start-Up Key and a separate stick for the Recovery Key. To use the stick to boot BitLocker you can wither use it when you set-up BitLocker to store the key directly from the wizard or move the key files over to it later. To boot using the iStorage datAshur as a start-up key or recovery key enter your PIN on the drive and insert it into the computer immediately before you switch the PC or laptop on.


See this review:


This is an interesting way to add another layer of protection to BitLocker and to stop your Start-up and Recovery Keys from falling into the wrong hands.