Yubico Forum https://forum.yubico.com/ |
|
[Solved] Smartcard for Bitlocker in Windows 10 https://forum.yubico.com/viewtopic.php?f=26&t=2321 |
Page 1 of 1 |
Author: | PleasingSpringbok [ Sun May 29, 2016 12:41 am ] |
Post subject: | [Solved] Smartcard for Bitlocker in Windows 10 |
I'm trying to use my Yubikey NEO's PIV Smartcard capabilities to unlock Bitlocker drives in Windows 10. The main problem seems to be that all of the information on the internet for this is intended for Windows 7. I've tried following a few different guides but the outcome is the same: When I try to add a smart card as an unlock method, I get a popup telling me that "A certificate suitable for bitlocker can't be found on your smart card." I tried using Microsoft's instructions on "Creating a self-signed certificate for use with Bitlocker", available here. I think the main issue is that I can't edit the registry to enable self-signed certificates, since HKLM\Software\Policies\Microsoft\FVE does not exist in Windows 10. I also tried the instructions under "Sharing an EFS certificate with BitLocker" on the same page, but it lead to the same error. In either case there was no issue in actually loading the certificate onto the Yubikey (thank you for the GUI tool!) Does this registry entry have an equivalent in Windows 10? It seems to be the bit that I'm missing. The certificate request file I'm using is: Code: [NewRequest]
Subject = "CN=BitLocker" KeyLength = 2048 HashAlgorithm = Sha256 Exportable = TRUE KeySpec = "AT_KEYEXCHANGE" KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE" KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG" RequestType = Cert SMIME = FALSE ValidityPeriodUnits = 99 ValidityPeriod = Years [EnhancedKeyUsageExtension] OID=1.3.6.1.4.1.311.67.1.1 |
Author: | PleasingSpringbok [ Tue May 31, 2016 10:04 am ] |
Post subject: | Re: [Question] Smartcard for Bitlocker in Windows 10 |
I'm a little embarrassed to say this, but the solution was to just create the key and add the entry anyway. It really is that simple. Thanks to the people over at the TechNet forums for their help. |
Author: | werto [ Sun Jun 12, 2016 10:27 pm ] |
Post subject: | Re: [Question] Smartcard for Bitlocker in Windows 10 |
PleasingSpringbok wrote: I'm a little embarrassed to say this, but the solution was to just create the key and add the entry anyway. It really is that simple. Thanks to the people over at the TechNet forums for their help. Could anyone point me in the right direction here..? I am completely lost |
Author: | velosol [ Fri Jul 08, 2016 12:25 am ] |
Post subject: | Re: [Solved] Smartcard for Bitlocker in Windows 10 |
The key to be 'just create[d]' is the HKLM\Software\Policies\Microsoft\FVE registry key. The link provided originally has the full set of instructions but says to make an adjustment to a registry key. In this case the key does not exist and must be created and set as in the instructions. Always be careful playing around in the registry, it can be a real pain to recover from mistakes there! |
Author: | rsrinivasan [ Wed Dec 14, 2016 5:15 am ] |
Post subject: | Re: [Solved] Smartcard for Bitlocker in Windows 10 |
I tried following this process (self signing certificate) - but when I use the Microsoft Technet instructions it says to insert the smart card (which of course you can't write to directly from Windows). I'm presuming you have to generate certificate manually and then import it (using the Yubikey PIV manager tool). How do I create the certificate manually on the Windows 10 PC such that it works for Bitlocker? |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |