UniToken Integration Guide BitLocker Drive Encryption

From SecuTech Wiki
Jump to: navigation, search


Install the PKI Package

This section explains how to install the PKI package that can be found inside the UniToken SDK. The End User package can be found inside the folder "Redist/Enduser/".

1 Right-click on the PKI package installation file and choose [Run as administrator]. Execute the file with an account that has administrator rights on this computer. Bitlocker img01.jpg
2 Click on [Next] in the InstallShield Wizard welcome screen. Bitlocker img02.jpg
3 Input your User Name and Company Name and click on [Next]. Bitlocker img03.jpg
4 Select [Complete] and click on [Next]. Bitlocker img04.jpg
5 Click on [Install] to begin the installation of the PKI package. Bitlocker img05.jpg
6 Verify that the InstallShield Wizard completed successfully and click on [Finish]. Bitlocker img06.jpg

Create a Compatible Smartcard Certificate

In this tutorial, we will use a self-signed certificate to encrypt the disk with BitLocker. A smart card certificate signed by a Certificate Authority can also be used, but ensure it is supported by BitLocker. More information about the requirements for a compatible BitLocker certificate can be found on Microsoft's website.

1 From the Start Menu, type "regedit", without quotation marks, in the search field, then right-click on "regedit" and click [Run as administrator].
Bitlocker img07.jpg
2 Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" and right click in the right pane. Choose [New] [DWORD(32-bit Value)]. Bitlocker img08.jpg
3 Name the DWORD value as “SelfSignedCertificates”. Bitlocker img09.jpg
4 Double click on the value and set the field [Value data] to "1". Click on [OK] to confirm and close regedit. Bitlocker img10.jpg
5 Copy and save the text to the right as "blcert.txt". [NewRequest]

Subject = "CN=BitLocker"

KeyLength = 2048

ProviderName = "UniToken PRO CSP v2.0"

KeySpec = "AT_KEYEXCHANGE"

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"

KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"

RequestType = Cert

SMIME = FALSE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.4.1.311.67.1.1

6 From the Start Menu, type "cmd.exe", without quotation marks, in the search field, then right-click on "cmd" and click [Run as administrator].
Bitlocker img12.jpg
7 Retrieve the path of the "blcert.txt" file saved earlier. To do so, navigate to where "blcert.txt" is saved, right-click on the file and select [Properties], search for the field [Location] and copy the path of your file.
Bitlocker img13.jpg
8 On the cmd console, type "cd " followed by the path of your file" to go to the directory where it is saved. For example "cd C:\Users\SecuTech\Desktop", without quotation marks (, at this point, make sure that the corresponding UniToken is correctly plugged in before executing the following operation). Afterwards, type "certreq –new blcert.txt" to request the BitLocker certificate.

.

Bitlocker img14.jpg

Encrypt the Hard Disk with BitLocker

1 From the Start Menu, type "BitLocker", and from the results that appear, choose [Manage BitLocker]. Bitlocker img15.jpg
2 Choose the disk that you wish to enable BitLocker on and click on [Turn on BitLocker]. Bitlocker img16.jpg
3 On the screen "Choose how you want to unlock this drive", check [Use my smart card to unlock the drive] and click on [Next].

Options differ depending if you encrypt a partition from an internal or an external disk. For now, UniToken cannot be used to encrypt the system partition.

Bitlocker img17.jpg
4 On the screen "How do you want to store your recovery key?", choose where you want to save the file containing the recovery key - you can also choose to print it. Be sure to keep the recovery key in a safe place. If you lose your smart card, it is the only way to decrypt the data on the encrypted drive: otherwise, all data will be lost. Bitlocker img18.jpg
5 On the screen "Are you ready to encrypt this drive", click [Start Encrypting]. Bitlocker img19.jpg
6 The encryption process will take place. This may take a long time depending on the characteristics of your computer and the disk size to be encrypted. (On the tested configuration, encrypting a 8GB partition took approximately 30 minutes). Bitlocker img20.jpg
7 When the dialog window "Encryption of (disk) is complete" appears, the disk is now protected. Click on [Close] to finish. Bitlocker img21.jpg

Access to the Encrypted Disk

1 When attempting to access the encrypted disk, the following window will appear (You can also choose to unlock the disk automatically when the smart card is inserted.

Insert your UniToken device and click on [Unlock].

Bitlocker img22.jpg
2 You will be asked to type the User PIN for your UniToken to unlock the drive. The drive will be unlocked only if the correct password is entered. Enter the User PIN and click [OK] to access the encrypted drive. Bitlocker img23.jpg

Glossary

Smart Card: any pocket-sized card with embedded integrated circuits. There are two broad categories of ICCs. Memory cards contain only non-volatile memory storage components, and perhaps dedicated security logic. Microprocessor cards contain volatile memory and microprocessor components.

Public Key Infrastructure (PKI): a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

Microsoft Cryptography API, MS-CAPI: an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography.

PKCS: refers to a group of public-key cryptography standards devised and published by RSA Security.