Background
By default, Microsoft BitLocker does not allow the user to enable full disk encryption (FDE) of the system disk, unless the PC has a compatible TPM.
However, if the "Allow BitLocker without a compatible TPM" option is turned on (under Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives -> Require additional authentication at startup), then the BitLocker wizard will permit FDE of the system disk. If this is done, then one of the wizard's dialogue boxes, headed "Choose how to unlock your drive at startup", will require the user to choose between two alternative authentication mechanisms:
- Insert a USB flash drive;
- Enter a password.
If the user picks "Insert a USB flash drive", then typically the wizard will generate a "startup key" and will ask for a USB flash drive on which to write it.
(The idea is that when wanting to boot the PC in the future, the user will first insert that USB flash drive into the PC and then switch on the PC. The Windows bootloader will then read the startup key from the flash drive in order to decrypt the system disk before booting Windows. I know people who do this in practice, and it works well. For more background, see e.g. this and this.)
My question
When encrypting a drive with BitLocker, so as to require a startup key, can the user specify her own custom startup key (e.g. if she has previously generated one with the wizard and wants to use it on additional PCs), or must she accept the key generated by the BitLocker wizard?
Alternatively, if she must accept the key created by the BitLocker wizard (at least while the wizard is running) then as a workaround, can she later replace this with her preferred startup key? Via the BitLocker Manage Keys interface, perhaps?
