No "USB-based Bitlocker encrypted drive"[1] is not as secure as encrypting a drive with a TPM& because:
Contrary to earlier (expired?) answers, Bitlocker without TPM does not work with multi-factors. So a start-up key on a USB and a Bitlocker password are two independent access 'keys' to the drive. You only need one to unlock the drive.
Such keys are called 'protectors'. For a system drive different protectors are available than for a data drive. An OS drive can have a start-up key. Since a data drive is not booted from, one can use a 'RecoveryKey' protector in that case. Both create a *.bek file which according to the following command...
manage-bde -protectors -add -help
... can be used interchangeably, because they are both 'External Keyfile' protectors. The command will list all possible protectors. (Passwords, SmartCards, Keyfiles, TPM, etc.)
Why is TPM more secure?
Because with a TPM you can add a protector that in itself is depended on multiple 'secrets'. Possible options:
- TPMAndPIN
- TPMAndStartupKey
- TPMAndPINAndStartupKey
- TPM
The first 3 are in a way mimicking multi-factor behaviour, though the TPM part is bound to the machine and not mobile.
The USB-based experiences were based on a system without TPM. If a booting system sees no USB drive with startup key during startup, Bitlocker will ask you to enter the password, provided a 'Password-protector' exists. If it sees the startup-key, it will simply boot Windows. A USB-drive with LED will allow you to verify if the system if even reading the USB-drive; some USB-ports might not be active pre-boot unless you tweak some bios settings.
Conclusion
If you encrypt the drive with a -TPM only, it only protects the drive if the drive itself is moved to another machine. Anyone can boot the original machine, no additional secrets are required. This would be almost equivalent to the situation of having a USB-drive for non-TPM machines stuck into the USB-port.
If you use -TPMAndPIN you will need to enter a PIN during boot which will be more secure than having a non-TPM USB-drive variant, because the secret is something you know, not something you have; provided your PIN is not your birthday and long.
For the record, you cannot use a TPM for a data drive. But you can daisy-chain drives to the original TPM-protected OS drive.
It is recommended to add more than one protector in case you loose or forget the primary. A Numerical Password (-RecoveryPassword) could be saved in safe location.
If you have only access to a non-TPM system: Configure a Yubikey with a long static-password 25-30 chars. Use that password in addition with something you concatenate before or after the static password (5-10) as a password protector for Bitlocker. This mimics multi-factor authentication, though for purists it is not real MFA.
[1] = from topic starter: drive encrypted with Bitlocker without TPM and with start-up key on USB-drive.
I used the word 'drive'; you may read this as 'partition' as Bitlocker is enabled per partition, not per drive.
https://docs.microsoft.com/nl-nl/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10
But then FBI can get my private key on the USB? – user4951 – 2014-09-11T12:48:29.583
Can anyone confirm this? – user4951 – 2014-09-11T12:48:57.780
Yes they can get your private key, so one in sense its not as secure as TPM but in another sense without the password its just as secure... – CharlesH – 2014-09-11T12:50:16.013
And once they got my private key, FBI can decrypt the drive with it right? – user4951 – 2014-09-11T12:57:29.280
Even though FBI doesn't know the password? – user4951 – 2014-09-11T12:57:52.263
No as the password needs to be used in conjuction with the private key to decrypt the drive – Fegnoid – 2014-09-11T12:58:56.377
Can anyone verify this? Do you have source> – user4951 – 2014-09-11T16:17:56.243
Can anyone verify this? I just bitlock my operating system. However, nowhere is stated that I need password. The key is in the USB and there is no password. – user4951 – 2014-09-12T05:04:14.647
There is no password involved if you bitlock your operating system partition!!!!! – user4951 – 2014-09-12T05:19:34.100
Hmm, it asked me for a password - but I have a TPM module on my laptop - and when I did it to my desktop (just now) that doesn't have one it also asked for a password – Fegnoid – 2014-09-12T07:43:23.663