Setting Up BitLocker with YubiKey as Smart Card
Setting Up BitLocker with YubiKey as Smart Card
January 9, 2021
Overview
This guide provides steps to configure a BitLocker encrypted drive that can be unlocked with a YubiKey 5 series device in Smart Card mode. This will result in a BitLocker drive that is secured by a physical piece of hardware and only requires typing in your YubiKey PIN to unlock.
2022-01-17 UPDATE: Step 7 has been updated to improve the completeness of configuring the YubiKey. This will be particularly helpful to anyone with multiple keys, but good for those without as well.
Requirements
- Windows 10 Professional (or higher)
- YubiKey 5 series (I used a 5Ci)
- External hard drive, USB key, or Virtual hard drive
Configuration Steps
1. Download and install the YubiKey Manager, YubiKey Smart Card Minidriver, and optionally Yubico Authenticator apps. The authenticator app is not required for this guide, but it is useful for registering two-factor authentication (2FA) tokens to your YubiKey.
- YubiKey Manager
- YubiKey Smart Card Minidriver
- Yubico Authenticator: Windows 10, Android, iOS
2. Create a text file with the following contents to use as a certificate request. I have set the certificate request to generate a certificate that is valid for 99 years; but you can change the ValidityPeriodUnits if a different amount of time is desired. You may also change the OID value, only do so if you have a reason for it. The name of the file does not matter, but I have used bitlocker-certificate.txt.
[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
HashAlgorithm = Sha256
Exportable = TRUE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
ValidityPeriodUnits = 99
ValidityPeriod = Years
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1
3. Open the Registry Editor and add the following key. Press Windows + R, then type in regedit, and click OK to open the Registry Editor.
- Browse to: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
- Right-click in the window pane on the right and select: New -> DWORD (32-bit) Value
- Type the following name for the key: SelfSignedCertificates
- Double-click the key to open it and set the value to: 1
4. Open the Local Group Policy Editor to ensure that smart card certificates are properly configured for use with BitLocker. To open the Local Group Policy Editor press Windows + R, then type gpedit.msc, and click OK.
- Browse to: Local Computer Policy -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption
- Double-click to open: Validate smart card certificate usage rule compliance
- Set the rule to: Enabled
- Ensure that the Object identifier: is set to 1.3.6.1.4.1.311.67.1.1 (or if you changed the OID in step 2 it must match that value)
5. Open PowerShell to generate the certificate to use with BitLocker and the YubiKey. This is the certificate that will be loaded onto the YubiKey.
- Change directory to where you saved the text file from step 2
- Run the following command: certreq -new .\bitlocker-certificate.txt
- Enter a name for the request file such as: bitlocker-certificate.req
- Delete the .req file as it is not needed
- Delete the .txt file from step 2
6. Open the certificate manager to export the newly created certificate in a format that can be loaded on to the YubiKey.
- Open the Windows start menu and type: Manage user certificates
- Click to open the certificate manager program
- Browse to: Certificates – Current User -> Personal -> Certificates
- There you will see a certificate titled BitLocker
- Right-click and select: All Tasks -> Export…
- Click Next, then select Yes, export the private key, then click Next again
- Click Next, then check the Password: box, and enter a password for the certificate (I used ‘1’ as this file will be deleted later anyhow)
- Click Next, then Browse… and save the file as bitlocker-certificate.pfx, then click Next, and finally Finish
7. Open the YubiKey Manager program to import the certificate to your YubiKey.
- If not already done, insert your YubiKey into your PC
- Open the YubiKey Manager app
- Go to: Applications -> PIV -> Configure Certificates -> Card Authentication
- Click
Import
and browse to and select the bitlocker-certificate.pfx file - Type the password you assigned to the certificate in step 6
- Check the Use default box on the Management key screen and click OK
- Delete the bitlocker-certificate.pfx file from your PC (may want to wait until completely finished for this)
2022-01-17 UPDATE
After further testing, I have found that it can be helpful to configure the PIN Management section of the YubiKey as well. This is primarily to ensure that configuring multiple keys works without issue, but should also ensure that your keys are set up in the most secure way. These additional steps will provide a standard configuration.
- With the YubiKey Manager program still open go to: Applications -> PIV -> Configure PINs
- If not already done, click Change PIN to update the PIN to something other than the default
- Then, from the Configure PINs screen, click Change PUK
- Add a PUK that is different than your PIN, this is essentially your backup PIN
- Then, from the Configure PINs screen, click Change Management Key
- Click Generate, and ensure the Protect with PIN box is checked
- Repeat this process on your other keys, be sure to copy the generated key to those keys
Note that the management key should be the same on all of your keys and also kept secret. That is, only click Generate on the first YubiKey. If you would like to add another YubiKey in the future you will need to store this key as you cannot retrieve it. For further information on PIN management see the YubiKey documentation.
8. Encrypt your device with the now configured YubiKey. Once this step is completed you will have an encrypted drive that can be unlocked with your YubiKey.
- Connect your storage device to your PC
- Open File Explorer and go to This PC
- Right-click on the device you would like to encrypt with BitLocker
- Click Turn on BitLocker
- Check the Use my smart card to unlock the drive box and click Next
- Select one of the options to backup your recovery key. This is important, as if you lose your YubiKey this will be the only way to unlock your drive
- Click Next and then select how much of your drive to encrypt. I typically select Encrypt entire drive (slower but best for PCs and drives already in use)
- Click Next and then select which encryption mode to use. I typically select New encryption mode (best for fixed drives on this device)
- Click Start encrypting
- That’s it, you are now ready to unlock your encrypted drive with your YubiKey
- Remember to empty your Recycle Bin to permanently delete the certificates that were used during setup
9. Verify that everything worked as expected. If for some reason things are not working remember that you can use the recovery key from the previous step to unlock the drive at any time.
- Right-click on your device in File Explorer and select Eject
- Remove the device and re-insert it into your PC
- Click on the device in File Explorer to bring up the BitLocker menu
- Click Use smart card
- Enter the PIN you have set on your YubiKey (default is 123456, but I would highly suggest changing it)
- Your drive should now be unlocked
Bonus Step
If you are like me you may have a second YubiKey in case you lose one of them. The great news is that you can use more than one YubiKey to unlock the same device.
- With the YubiKey you just configured inserted into your PC open the YubiKey Manager app
- Go to: Applications -> PIV -> Configure Certificates -> Card Authentication
- Click export and save the file as bitlocker-certificate.crt
- Remove your first YubiKey from your PC and insert your second YubiKey
- Go to: Applications -> PIV -> Configure Certificates -> Card Authentication
- Click Import and browse to the .crt file that was just exported
- Check the Use default box and click OK
- Delete the bitlocker-certificate.crt file
That’s all for setting up another YubiKey. Now you should be able to unlock your BitLocker drive with either key.