Did you know you can use just about any USB drive as a "startup key" on Windows 11? When you enable BitLocker on newer PCs, Windows automatically unlocks your system drive every time you start up your computer using Trusted Platform Module (TPM).
The ability to add an extra level of security with the convenience with using a USB startup key on a BitLocker enabled PC is indispensable. It effectively adds two-factor authentication to BitLocker encryption. Now, your PC won't even start without the USB startup key inserted for your drive to be decrypted and Windows to start.
It is important to point out the difference between a USB startup key and a USB security key. A USB security key, like the Yubikey 5 Series from Yubico, offer FIDO2 (Fast Online Identification) authentication, which is also offered by Microsoft's Windows Hello.
A USB startup key prevents a PC from booting into Windows on a BitLocker-enabled drive unless the startup key is present. It's not quite the same level of protection, but still more secure than just a password, for example.
In this guide, we will show you how to create one from scratch on Windows 11.
Create your own USB startup key
Bitlocker is a built-in full disk encryption tool available on Windows 11, that was first introduced in Windows 7. You can create a USB startup key using BitLocker on Windows 11.
However, it's important to note that this BitLocker method will only work for Windows 11 Professional and Windows 11 Enterprise versions. Windows Home does not come with BitLocker, it uses a different security feature called Device Encryption.
Here's how to use BitLocker on Windows 11 Pro to create a USB startup key from scratch.
1. Open File Explorer, right click your PC's system drive (where Windows is installed) and click Turn on BitLocker. In my case, it's the C: drive.
2. Once the BitLocker process completes, open Local Group Policy Editor. Go to the following path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
3. Find and open Require additional authentication at startup and double-click to configure it.
4. A new window will open, allowing you to configure the settings, change the toggle to Enabled and choose Require startup key with TPM from the dropdown menu under Configure TPM startup key. Click Apply to apply your changes and click OK to close the window when finished. Close Local Group Editor.
5. The final step is to open and run Command Prompt as an administrator. Copy and paste the following command and press Enter to run it:
manage-bde -protectors -add C: -TPMAndStartupKey E:
Manage-bde -protectors manages the protection methods used for the BitLocker encryption key and the command will add
E: (my USB drive designation) as a
C:(my system drive destination). Be sure that you indicate the correct drive letters for your system and USB drives.
That's it, you are finished! Now your PC will not start up unless you have the USB inserted. Try it out for yourself! If someone attempts to start up your PC without the USB startup key inserted, they will see this screen.
If creating your own USB startup key seems too complicated, there are several third-party applications that can act as a way to lock your PC with just about any USB drive on Windows 11. Here's a look at just a few.
1. USB Raptor
USB Raptor is a free program, that once you download and install, can turn any USB flash drive into a startup key to lock and unlock your PC at will. As long as USB Raptor is running on your PC, no one will be able to use your PC without your USB startup key.
When your PC is locked with USB Raptor, a brown screensaver appears with the time and valid ways to unlock your PC, by using a typed password, USB startup key, or network unlock. One downside to this free app is that USB Raptor has to be running and enabled on your PC to function correctly.
Predator protects your computer by creating and is another popular and low-cost option to use a USB drive to lock and unlock your PC when you aren't using it. As soon as you use Predator to create your own USB startup key, no one can use your PC and if they do, they'll be met with an "Access Denied" error message and be unable to access your device.
3. Rohos Logon Key
Rohos Logon Key is a USB key maker that uses two-factor authentication to unlock both Windows 11 and macOS. Although Rohos Logon Key is technically considered "freeware," you will need to pay up to $59.00 for a license, if you want to use the "free" version past its 15-day trial period.
Do you use a USB startup key to lock your PC at boot? Tell us why or why not in the comments!