How to Make a Secure USB Unlock Key

If you haven't heard, not too long ago Google introduced an advanced security program for high-profile targets. The system works with physical USB and NFC keys that unlock your Google account. It's the ultimate in two-factor authentication and we can recommend it if you're a hardcore Google cloud user.

The thing is, while you can also use the same sophisticated security keys Google is employing with services such as Windows Hello, the cheapest examples cost more than $20. You can get a regular old low-capacity flash drive for a buck or two these days. More importantly, you probably already have a bunch of the things lying around.

That got me thinking. Was there some way to create a secure physical key that will work for your entire computer, but doesn't have to be an expensive specialized key?

Doing it the DIY Way

There's plenty of software out there that will let you use a USB drive as a security key. If the key is not present you can't use the computer.

Of course, one downside of this is that you have to sacrifice a USB port permanently. This is especially painful on a laptop that might not have that many to begin with. Still, it's a worthy offering to the gods of data security. Even better it turns out to be quite easy.

Using Windows BitLocker

Just about every modern computer has something called a trusted protection module. It's a dedicated cryptoprocessor that decrypts the contents of your drive.

Interestingly, you can actually use a USB drive set up with the cryptographic key to unlock that machine instead. Which means if your laptop falls into the wrong hands there's no way to unlock it without the key drive.

The first step in this process is to enable BitLocker on your computer. Home versions of Windows don't have BitLocker unfortunately. Only Pro and Enterprise users need to apply. Here's how to turn BitLocker on:

• Open-File Explorer
• Go to "My PC"
• Right-click on your system drive
• Click "Turn BitLocker On"

BitLocker will now ask you how you would like to unlock the drive. Choose whichever main unlock method you like. Whether pin, password or something else.

Enabling the BitLocker Key

Once you've completed the process of enabling BitLocker on your system drive we can go ahead and create the USB Key.

• Start the Group Policy Editor by hitting Windows+R and then typing "gpedit.msc". Hit enter and the editor should open.
• Now navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
• There's an entry labeled " Require Additional Authentication at startup”.
• Double click the entry and a window pops up. Change the setting to "enabled"

There's a drop-down menu labeled "Configure TPM Startup". Change this to "Require Startup Key With TPM".

OK, this is the final stretch. Now we are going to use the command prompt. You have to launch it with administrator privileges. Do do this:

• Open the start menu
• Type "cmd"
• Right click on the command prompt app
• Select "Run as administrator"

Now type this:

manage-bde -protectors -add c: -TPMAndStartupKey e:

This is assuming that "c" is your system drive and "e" is the letter assigned to your currently-inserted flash drive.

From now on you'll be asked to insert the key when you start up the computer. You can make a backup copy the ".bek" file in the root of the drive in case you lose it. The file is hidden, so you need to enable the viewing of hidden files to more easily make a copy. Just remember that anyone else who gets the drive can make a copy too. So take care of it!

Using Third-Party Apps

BitLocker is a great solution because it is so well-integrated with the OS, but if you don't have it or don't like it you can use one of many third-party solutions too. Let's look at a few good choices.

USB Raptor

Download USB Raptor from here. This is a neat little Open Source program that will lock or unlock your computer based on the presence of a specific USB drive file. It will work on just about all versions of Windows from XP onwards.

One thing I like about Raptor is the fact that you can link the key to the serial number of that specific drive. In that way, it's actually better than the BitLocker option. However, all this program does is lock or unlock your computer with a physical drive. It doesn't decrypt anything. Which means your PC is still vulnerable

It's simple to set up and pretty flexible, so if you want an easy medium-security fix for a workstation that other people can access, this is a good choice.

Predator

Before getting started, download Predator from here. Predator is not an Open Source utility, the Home Edition costs ten bucks at present. One neat feature is that it even works off SD cards, which is a good solution for laptops where users never use the SD slot for anything.

It will run on a wide range of 64-bit and 32-it Windows versions. Predator doesn't just lock your PC, it disables the screen, keyboard, and mouse. It also allows for advanced access control in the form of time limits and per-user permissions. There are a lot of features in the software, but one notable fact is that it automatically cycles the keys. So making a copy of your drive won't help anyone!

The Ultimate Lockdown

Physical access control keys for your computer make it much harder for someone to hack your PC. It is, however, a good idea to also set a BIOS password in case the hacker tries to restart your machine and load a live OS from a drive or disc.

Using key-based security takes care of intrusions from the front-end of your computer, but don't forget that you also need to take care of privacy threats that come over the network connection. A strong and reliable VPN is a key component of any computer security setup. We recommend ExpressVPN as the best all-round VPN for most users. Give it a try, you won't regret it!