I'm trying to use my Yubikey NEO's PIV Smartcard capabilities to unlock Bitlocker drives in Windows 10. The main problem seems to be that all of the information on the internet for this is intended for Windows 7. I've tried following a few different guides but the outcome is the same: When I try to add a smart card as an unlock method, I get a popup telling me that "A certificate suitable for bitlocker can't be found on your smart card."
I tried using Microsoft's instructions on "Creating a self-signed certificate for use with Bitlocker", available
here. I think the main issue is that I can't edit the registry to enable self-signed certificates, since HKLM\Software\Policies\Microsoft\FVE does not exist in Windows 10. I also tried the instructions under "Sharing an EFS certificate with BitLocker" on the same page, but it lead to the same error. In either case there was no issue in actually loading the certificate onto the Yubikey (thank you for the GUI tool!)
Does this registry entry have an equivalent in Windows 10? It seems to be the bit that I'm missing.
The certificate request file I'm using is:
Code:
[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
HashAlgorithm = Sha256
Exportable = TRUE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
ValidityPeriodUnits = 99
ValidityPeriod = Years
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1
Login
FAQ
Search
