Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)

  • Article

Applies To: Windows 7

This scenario describes how to use smart cards with a self-signed certificate to encrypt a data drive by using BitLocker Drive Encryption. When deploying BitLocker along with smart cards, we recommend that a certification authority be used. As a best practice, self-signed certificates should only be used for limited testing scenarios. By default, BitLocker cannot be used with self-signed certificates.

Before you start

To complete the procedures in this scenario:

Complete the following procedures in order.

To enable BitLocker to use self-signed certificates

  1. Click Start, type regedit in the Search programs and files box, right-click regedit.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. In Registry Editor, navigate to \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.

  3. On the Registry Editor menu, click Edit, point to New, and then click DWORD (32-bit) Value.

  4. Type SelfSignedCertificates, and then press ENTER to create the SelfSignedCertificates key value.

  5. Right-click SelfSignedCertificates, and then click Modify.

  6. In Value data, type 1.

BitLocker can now use self-signed certificates.

To obtain a self-signed certificate to test BitLocker and smart cards

  1. Open a text editor such as Notepad, and paste the following information into a new file:

    [NewRequest]

    Subject = "CN=BitLocker"

    KeyLength = 2048

    ProviderName = "Microsoft Smart Card Key Storage Provider"

    KeySpec = "AT_KEYEXCHANGE

    KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"

    KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"

    RequestType = Cert

    SMIME = FALSE

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.4.1.311.67.1.1

  2. Save the file with the name blcert.txt.

  3. Insert a smart card into the smart card reader of the computer.

  4. Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  5. In the Command Prompt window, navigate to the location where you saved the blcert.txt file, and type certreq –new blcert.txt to request a new certificate based on the parameters identified in the file. There may be a slight delay while the request is carried out, and you may be prompted to enter your smart card PIN.

  6. When prompted to save the request file, type a file name, and click Save.

You now have a smart card certificate that is appropriate for use with BitLocker.

To use BitLocker with a smart card to protect a data drive

  1. If you want to protect a removable drive, insert it into the computer.

  2. Click Start, and then click Computer to display the drives on your computer.

  3. Right-click the drive you want to protect, and then click Turn on BitLocker to start the BitLocker setup wizard.

  4. On the Choose how you want to unlock this drive wizard page, click Use my smart card to unlock the drive.

  5. Insert your smart card into the smart card reader, and click Next.

  6. On the Save the recovery key wizard page, select either Save the key to a file to save your recovery key to a network drive or other location or select Print the recovery key to print the 48-digit recovery password, and then click Next.

  7. On the Are you ready to encrypt this drive page, confirm that you want to use a smart card to encrypt the drive, and click Start Encrypting.

  8. When the drive is ready for encryption, the Encryption in Progress status bar is displayed. When you are notified that encryption is complete, click Close.

By completing the procedures in this scenario, you have a drive that is now protected by BitLocker and ready to use. Whenever the drive is inserted into a computer running Windows 7, a dialog box will prompt users to insert their smart card to unlock the drive.