Requirements:
- Windows (Tested with Windows 7 and Windows 10, probably works with Windows 8, Windows 8.1)
- YubiKey Neo with PIV installed (included by default on newer keys), and CCID mode enabled.
- YubiKey PIV Manager
Description This tutorial will guide a moderate to expert user through the process of using Windows' encrypted file system with a certificate stored on a yubikey neo in CCID mode using the PIV app. Limitations You cannot encrypt your entire drive or entire home folder using this method. It will not function. Don't try it. Don't say I didn't warn you.
Tutorial
- Create temporary encrypted documents
Create a temporary folder somewhere, I called it "Encrypted", you can call it whatever you want. Create a text file in the folder, and put some content into the text file. Doesn't matter what.
- Encrypt the temporary folder
Right-click on the Folder, select Properties, then click Advanced, then check the checkbox for "Encrypt contents to secure data" Click Okay, then Apply. In the dialog box, make sure you select "Apply Changes to this folder, subfolders, and files"
- Export your EFS Certificate
hit the windows key, then type in "certmgr.msc" and hit enter. select Personal, then Certificates, then look for the certificate which has a date in 2115 (or later) and says the Intended Purpose is "Encrypting File System". Right-click on that one and select All Tasks -> Export. On the second page, select "Yes, export the private key", on the third page, select all the check boxes under .PFX, on the fourth page, enter a password. Save the file somewhere you won't lose it. Repeat the All Tasks -> Export, this time we'll use different options. On the second page, select Base-64 encoded X.509 (.CER), and save this file with your original file. After export is done, make sure you delete the certificate completely. right-click on the certificate and select Delete.
- Install the Key and Certificate on Yubikey
Fire up YubiKey PIV Manager, and insert your yubikey. If prompted, set a pin. Remember this pin, you'll use it often. Click on Certificates to open up the cert wizard screen, and select the Authentication tab. If there's already a certificate there, Delete it. Make sure you don't need the certificate before you delete it. Click Import from File, and select the .pfx you created above. Un-plug and reinsert your yubikey. double-click on the .cer file you exported above in windows explorer, and then click Install Certificate... On the second page, select "Place all certificates in the following store" and make sure you select Personal, then finish installing your certificate.
- Configure windows Encrypted Filesystem to use your new Key
This step is Tricky, there's no single way to get to the proper dialogue, as it changes from version to version, however, in windows 7, go to control Panel, click on User Accounts, then click "Manage your file encryption certificates". Once in the dialog/wizard, select Use this certificate and select certificate. In the popup dialogue, make sure you choose the correct certificate. Enter your pin when prompted. Select "I'll update my encrypted files later" Click next, and the wizard crashes. That's because you're using the same certificate, but without the key stored, to replace with itself with the key on a yubikey. Don't worry, it's done.
- Test the encrypted dummy data
Now go back to your original encrypted folder, and try to open the text file you created earlier. You may have to log out and log back in to clear the cached key. When prompted, enter your pin, and the file will open. Voila.
- Delete your encryped folder
This folder was encrypted using the stored key. As such it tries to access the key every time. This is why we created a temporary folder, to deal with this nonsense.
- Encrypt your folder of choice (I suggest something like your workbench, or your business documents, or similar)
Select any folder, right click, properties, advanced, encrypt, etc.. just like above. You'll now encrypt this folder using the key/cert on your yubikey.
- Enjoy.
This folder requires you to insert your key to access anything on it, but once unlocked, it should continue to function until you log off or restart your computer.
Notes: This is my first How-To on this site, and I was in a hurry to throw it up. It's not the most utility for me, due to the inability to encrypt your entire home folder, but I felt the need to share it anyway since I figured out how to make it work.
|