Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:45 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Fri May 03, 2013 2:00 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello,

This simple tutorial will guide you through the configuration of full disk encryption for Windows 8 pro with the Yubikey.
This tutorial may work for different version of Windows as well.


** Disclaimer **

BEFORE FOLLOWING THIS TUTORIAL YOU HAVE TO BACK UP ALL YOUR DATA FROM YOUR HARD DRIVE. YUBICO IS NOT RESPONSIBLE IN ANY WAY IF YOU MESS UP YOUR DRIVE AND LOSE ALL YOUR DATA!

** ** ** ** **


1) Configure the Yubikey with a strong password. Download the personalization tool here: http://www.yubico.com/wp-content/upload ... -3.1.9.exe

Always check http://www.yubico.com/products/services ... tools/use/ for the latest version


2) Run the personalization tool, and select on the top menu static-password

3) Select advanced

4) Have a look at the screenshot. If you do not know what to do here, please use these values. Press the GENERATE buttons as many times as you like.

Image

5) Finally press the WRITE button at the bottom to configure your Yubikey.

Now we head over the Bit Locker configuration.


1) Turning on BitLocker in Windows 8 is simple and straightforward. Begin by opening the Charms Bar, clicking on the Search Charm, entering BitLocker in the search textbox, and then click Settings. Click BitLocker Drive Encryption in the results list and you’ll be whisked to the BitLocker Drive Encryption Control Panel Applet.
The BitLocker Drive Encryption Control Panel Applet shows the PC’s hard drives, including removable storage such as USB keys.

An alternative method is to open the "computer" windows in the windows explorer and right click on the hard drive you want to encrypt. Select enable bit locker then.

BitLocker will do a quick system check, and if all goes well it will ask how you wish to unlock the drive. Select a password option then you’ll be asked to enter and confirm the password, USE YOUR YUBIKEY NOW! Select the password field and emit the password that you generated before from your Yubikey. If you configured the password in slot 2, press the Yubikey for 3-5 seconds if it was slot 1 just touch briefly the Yubikey for half a second circa.



Image

You will need to select a method to save your recovery keys in case you will lose your master password. I personally save it to a file in an encrypted Truecrypt container. You may prefer other options.

Now that the Recovery Key is backed up—you did back it up, right? Select how to encrypt the drive. You will have two options:
A) Used disk space only
B) Entire Drive

Disk space only is a much faster option which comes with Windows 8.

I use the full drive encryption, which is slow it will take some time depending on your drive size ( If you choose this setting be careful because it will mess up you GRUB if you have Linux installed, you will have to use the recovery from your Linux distribution - this is how to fix it on Ubuntu: https://help.ubuntu.com/community/Boot-Repair )



2) At this point you will have to restart your computer and you will be prompted with this screenshot:

Image



3) Press your Yubikey for 3-5 seconds (if you configured the password in configuration slot 2 ) or just half a second if you configured the password in slot 1.

That's it! Your system will boot and your drive will be encrypted.







BIT LOCKER INSTALLATION VIDEO
http://www.youtube.com/embed/voWj542eEKQ






# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

WHAT TO DO IF YOU HAVE THE “This device can’t use a Trusted Platform Module.” ERROR ?

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #


If you will encounter this error:
1) run GPEdit.msc to edit Group Policy, navigate to the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives container and double-click the Require additional authentication at startup policy.
Check the box next to Allow BitLocker without a compatible TPM, then click OK.
To learn more about TPM and why you have this error go here: http://windows.microsoft.com/en-us/wind ... n-overview


Image


Exit GPEdit.msc and either wait patiently until the next automatic Group Policy update, or run GPUpdate from a Command Prompt

_________________
-Tom


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Oct 15, 2013 9:23 pm 
Offline

Joined: Tue Oct 15, 2013 6:22 pm
Posts: 3
Are you sure you can use more than 20 characters? I had to select the 16 chars for Password Length


Code:
C:\WINDOWS\system32>manage-bde -protectors -add c: -TPMAndPIN
BitLocker Drive Encryption: Configuration Tool version 6.2.9200
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

Type the PIN to use to protect the volume:
ERROR: The value you have entered exceeded the maximum allowed length of 20 characters.


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 07, 2015 6:11 pm 
Offline

Joined: Fri Aug 07, 2015 6:01 pm
Posts: 1
ziggie216 wrote:
Are you sure you can use more than 20 characters? I had to select the 16 chars for Password Length


Code:
C:\WINDOWS\system32>manage-bde -protectors -add c: -TPMAndPIN
BitLocker Drive Encryption: Configuration Tool version 6.2.9200
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

Type the PIN to use to protect the volume:
ERROR: The value you have entered exceeded the maximum allowed length of 20 characters.


do you know how to read?

given option:
    -TPMAndPIN

error message:
    Type the PIN

PIN is not a PASSWORD!

PASSWORD COMPLEXITY FOR BITLOCKER:
The number of characters = from 8 up to 100


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 28, 2016 12:59 am 
Offline

Joined: Wed Apr 27, 2016 11:44 pm
Posts: 7
I tried this in Windows 10 Pro, but it didn't work (I could log in with my password without the Yubikey inside)

What's wrong?

Also, is there a way to use the Yubikey with my fingerprint?


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 24, 2016 6:03 am 
Offline

Joined: Fri Jun 24, 2016 5:56 am
Posts: 1
I had the TPM error, and I attempted to fix it in the way outlined through group policy.

The problem I am having is that my PC just boots to a "Preparing Automatic Repair" screen. Is this meant to be happening and I need to let it do it's thing, or is it not encrypting my drive and it is stuck on a recovery screen forever?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group