Hello,
This simple tutorial will guide you through the configuration of full disk encryption for Windows 8 pro with the Yubikey.
This tutorial may work for different version of Windows as well.
** Disclaimer **
BEFORE FOLLOWING THIS TUTORIAL YOU HAVE TO BACK UP ALL YOUR DATA FROM YOUR HARD DRIVE. YUBICO IS NOT RESPONSIBLE IN ANY WAY IF YOU MESS UP YOUR DRIVE AND LOSE ALL YOUR DATA!
** ** ** ** **
1) Configure the Yubikey with a strong password. Download the personalization tool here: http://www.yubico.com/wp-content/upload ... -3.1.9.exe
Always check http://www.yubico.com/products/services ... tools/use/ for the latest version
2) Run the personalization tool, and select on the top menu static-password
3) Select advanced
4) Have a look at the screenshot. If you do not know what to do here, please use these values. Press the GENERATE buttons as many times as you like.
5) Finally press the WRITE button at the bottom to configure your Yubikey.
Now we head over the Bit Locker configuration.
1) Turning on BitLocker in Windows 8 is simple and straightforward. Begin by opening the Charms Bar, clicking on the Search Charm, entering BitLocker in the search textbox, and then click Settings. Click BitLocker Drive Encryption in the results list and you’ll be whisked to the BitLocker Drive Encryption Control Panel Applet.
The BitLocker Drive Encryption Control Panel Applet shows the PC’s hard drives, including removable storage such as USB keys.
An alternative method is to open the "computer" windows in the windows explorer and right click on the hard drive you want to encrypt. Select enable bit locker then.
BitLocker will do a quick system check, and if all goes well it will ask how you wish to unlock the drive. Select a password option then you’ll be asked to enter and confirm the password, USE YOUR YUBIKEY NOW! Select the password field and emit the password that you generated before from your Yubikey. If you configured the password in slot 2, press the Yubikey for 3-5 seconds if it was slot 1 just touch briefly the Yubikey for half a second circa.
You will need to select a method to save your recovery keys in case you will lose your master password. I personally save it to a file in an encrypted Truecrypt container. You may prefer other options.
Now that the Recovery Key is backed up—you did back it up, right? Select how to encrypt the drive. You will have two options:
A) Used disk space only
B) Entire Drive
Disk space only is a much faster option which comes with Windows 8.
I use the full drive encryption, which is slow it will take some time depending on your drive size ( If you choose this setting be careful because it will mess up you GRUB if you have Linux installed, you will have to use the recovery from your Linux distribution - this is how to fix it on Ubuntu: https://help.ubuntu.com/community/Boot-Repair )
2) At this point you will have to restart your computer and you will be prompted with this screenshot:
3) Press your Yubikey for 3-5 seconds (if you configured the password in configuration slot 2 ) or just half a second if you configured the password in slot 1.
That's it! Your system will boot and your drive will be encrypted.
BIT LOCKER INSTALLATION VIDEO
http://www.youtube.com/embed/voWj542eEKQ
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
WHAT TO DO IF YOU HAVE THE “This device can’t use a Trusted Platform Module.” ERROR ?
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
If you will encounter this error:
1) run GPEdit.msc to edit Group Policy, navigate to the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives container and double-click the Require additional authentication at startup policy.
Check the box next to Allow BitLocker without a compatible TPM, then click OK.
To learn more about TPM and why you have this error go here: http://windows.microsoft.com/en-us/wind ... n-overview
Exit GPEdit.msc and either wait patiently until the next automatic Group Policy update, or run GPUpdate from a Command Prompt