Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:46 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun May 29, 2016 12:41 am 
Offline

Joined: Sun May 29, 2016 12:30 am
Posts: 2
I'm trying to use my Yubikey NEO's PIV Smartcard capabilities to unlock Bitlocker drives in Windows 10. The main problem seems to be that all of the information on the internet for this is intended for Windows 7. I've tried following a few different guides but the outcome is the same: When I try to add a smart card as an unlock method, I get a popup telling me that "A certificate suitable for bitlocker can't be found on your smart card."

I tried using Microsoft's instructions on "Creating a self-signed certificate for use with Bitlocker", available here. I think the main issue is that I can't edit the registry to enable self-signed certificates, since HKLM\Software\Policies\Microsoft\FVE does not exist in Windows 10. I also tried the instructions under "Sharing an EFS certificate with BitLocker" on the same page, but it lead to the same error. In either case there was no issue in actually loading the certificate onto the Yubikey (thank you for the GUI tool!)

Does this registry entry have an equivalent in Windows 10? It seems to be the bit that I'm missing.

The certificate request file I'm using is:
Code:
[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
HashAlgorithm = Sha256
Exportable = TRUE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
ValidityPeriodUnits = 99
ValidityPeriod = Years

[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1


Last edited by PleasingSpringbok on Tue May 31, 2016 10:04 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue May 31, 2016 10:04 am 
Offline

Joined: Sun May 29, 2016 12:30 am
Posts: 2
I'm a little embarrassed to say this, but the solution was to just create the key and add the entry anyway. It really is that simple. Thanks to the people over at the TechNet forums for their help.


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 12, 2016 10:27 pm 
Offline

Joined: Sat Jun 11, 2016 11:40 am
Posts: 1
PleasingSpringbok wrote:
I'm a little embarrassed to say this, but the solution was to just create the key and add the entry anyway. It really is that simple. Thanks to the people over at the TechNet forums for their help.

Could anyone point me in the right direction here..?
I am completely lost :oops:


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 08, 2016 12:25 am 
Offline

Joined: Thu Feb 25, 2016 9:19 pm
Posts: 5
The key to be 'just create[d]' is the HKLM\Software\Policies\Microsoft\FVE registry key. The link provided originally has the full set of instructions but says to make an adjustment to a registry key. In this case the key does not exist and must be created and set as in the instructions. Always be careful playing around in the registry, it can be a real pain to recover from mistakes there!


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 14, 2016 5:15 am 
Offline

Joined: Wed Dec 14, 2016 4:54 am
Posts: 3
I tried following this process (self signing certificate) - but when I use the Microsoft Technet instructions it says to insert the smart card (which of course you can't write to directly from Windows). I'm presuming you have to generate certificate manually and then import it (using the Yubikey PIV manager tool). How do I create the certificate manually on the Windows 10 PC such that it works for Bitlocker?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group