Using Smart Cards with BitLocker
Applies To: Windows 7, Windows Server 2008 R2
In Windows 7, you can use smart card certificates with BitLocker Drive Encryption to protect fixed and removable data drives and to recover BitLocker-protected drives in the absence of the primary access key. Once you have obtained certificates, you can use them with BitLocker data recovery agents and as a BitLocker key protector for data drives. You can use any of the following methods to obtain a certificate for use with BitLocker:
Creating a certificate by using a Windows-based certification authority
Creating a self-signed certificate for use with BitLocker
Sharing an EFS certificate with BitLocker
After you have obtained a certificate, review Using Data Recovery Agents with BitLocker to learn how to configure BitLocker to use the smart card certificates to establish data recovery agents.
Note
Make sure that you back up the certificates you use with BitLocker and store them in a secure location.
Note
When a drive is unlocked by using smart card credentials, BitLocker will scan all of the key protectors configured for the drive and try to match them to an existing certificate on the inserted smart card. When using a smart card, the certificate selection process creates a temporary certificate store that is filtered to eliminate any noncompliant certificates before presenting the user with a list of certificates from which to choose. This behavior is slightly different when a certificate is specified by using the Manage-bde command-line tool. Manage-bde uses the local user store instead of creating a temporary store. Any changes to certificate properties located in the local store will be enforced when the local store is used. This means that Manage-bde will use any specific properties that are associated to the certificate in the local store. Because certificates on the smart card do not have properties associated with them and properties cannot be set on certificates when using a temporary store, this enforcement of certificate properties does not occur when choosing a certificate from the BitLocker Control Panel item.
Creating a certificate by using a Windows-based certification authority
The Active Directory Certificate Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=151480) shows you how to set up a basic configuration of Active Directory Certificate Services (AD CS). AD CS provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. Using a certification authority (CA) enables you to have centralized control of certificates in your organization, so that you can grant, renew, and revoke certificates as necessary. Using CA-based certificates with BitLocker is recommended for enterprise deployments.
Creating a self-signed certificate for use with BitLocker
You can create BitLocker-specific, self-signed certificates by using the Certreq.exe command-line tool included with the Windows operating system. Certreq uses a parameter file to create a certificate with the attributes you specify. Each parameter file is configured to use the default BitLocker object identifier, which Windows 7 recognizes by default. Therefore, modifications to Group Policy settings are not required to use these certificates. The following example parameter files show how to create a BitLocker smart card self-signed certificate for drive encryption and a BitLocker data recovery agent certificate for drive recovery. After the certificates are created and self-signed certificates are allowed, any drive can be encrypted.
Note
Use of self-signed certificates is disabled by default. You must modify the registry to enable the use of self-signed certificates. To do this, open the Registry Editor, navigate to the key HKLM\Software\Policies\Microsoft\FVE, and set the DWORD value SelfSignedCertificates to 1.
Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
The following procedures describe the tasks associated with this method:
To create a certificate parameter file for drive encryption
To create a certificate parameter file for drive recovery
To use Certreq to create the certificates
To create a certificate parameter file for drive encryption
Open Notepad or another text editor.
Copy and paste the following information into the file.
[NewRequest] Subject = "CN=BitLocker" KeyLength = 2048 ProviderName = "Microsoft Smart Card Key Storage Provider" KeySpec = "AT_KEYEXCHANGE" KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE" KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG" RequestType = Cert SMIME = FALSE [EnhancedKeyUsageExtension] OID=1.3.6.1.4.1.311.67.1.1Save the file with the name blcert.txt.
To create a certificate parameter file for drive recovery
Open Notepad or another text editor.
Copy and paste the following information into the file.
[NewRequest] Subject = "CN=BitLocker DRA" KeyLength = 2048 ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Exportable = TRUE ExportableEncrypted = FALSE KeySpec = "AT_KEYEXCHANGE" KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE" KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG" RequestType = Cert SMIME = FALSE [EnhancedKeyUsageExtension] OID=1.3.6.1.4.1.311.67.1.2Save the file with the name bldracert.txt.
To use Certreq to create the certificates
Open a command prompt.
To create the certificate for drive encryption, type certreq –new blcert.txt.
To create the certificate for drive recovery, type certreq –new bldracert.txt.
Sharing an EFS certificate with BitLocker
You can share an Encrypting File System (EFS) self-signed smart card certificate with BitLocker. The following procedure describes how to create this certificate.
To create a shared certificate for use with BitLocker and EFS
Click Start, and then click Control Panel.
In Search Control Panel, type certificates, and then click Manage file encryption certificates.
The Encrypting File System wizard opens. Click Next.
Click Create new certificate, and then click Next.
Click A self-signed certificate stored on my smart card, and then click Next.
In the Microsoft Smart Card Provider dialog box, type your smart card personal identification number (PIN) in the space provided, and then click OK.
After the certificate is created, you can choose to update previously encrypted files to use the new certificate or click I'll update my encrypted files later to use the self-signed certificate only for BitLocker. Make your choice as appropriate, and then click Next.
The wizard confirms the creation of the certificate. Click Close to close the wizard.
To associate the object identifier (also known as OID) of this certificate with BitLocker, you need to modify the associated Group Policy setting.
To open the Local Group Policy Editor, click Start, and then in the Search program and files box, type gpedit.msc.
Under Computer Configuration\Administrative templates\Windows Components\BitLocker Drive Encryption, click Validate smart card certificate usage rule compliance.
Click Enable, configure the Object identifier setting to match the object identifier of the certificate you just created, and click OK to apply the settings.