I use and advocate secure authentication, verification, and encryption methods. Naturally, I have used 2-Factor-Authentication for a long time wherever it is available (Google, Facebook, Dropbox, and many others). In addition, my computers and mobile devices use Full Disk Encryption, protecting my data at rest.
The YubiKey is a small USB device that augments different authentication methods to accomplish these tasks. I recently purchased two of YubiCo’s latest model, the YubiKey 4 to help me with 2FA and FDE.
I could not find much entry-level information on how to set up a YubiKey with BitLocker, the FDE solution of the Windows operating system (specifically, Windows 10). YubiCo itself only offers a guide for developers of FDE software (PDF). To help others, the following sets out the steps I used to implement FDE on my Windows 10 computer with a YubiKey 4. This is partly based on a YubiCo forums post but includes more information.
My system uses the following:
- A mainboard with a Trusted Platform Module (TPM) chip
- Windows 10 Pro (build 1703)
- YubiKey 4 and the YubiKey Personalization Tool
If you have never used BitLocker, How-To Geek provides detailed and helpful instructions – You will need to configure your YubiKey before you set up BitLocker. If you already use BitLocker, you can still use your YubiKey, but you will need to change your BitLocker PIN or password.
By the way:
I had already enabled BitLocker, but I used this opportunity to upgrade my encrypted drives from the default AES 128 algorithm to the more secure XTS AES 256 – Chris Hoffman wrote thorough instructions at How-To Geek (that article does not account for XTS AES. The procedure is exactly the same, however. Simply chose XTS AES 256 instead of regular AES 256). This step is entirely optional.
[DE: Es gibt auf Gunther’s Blog auch eine Anleitung auf Deutsch.]
You need to know that using the YubiKey for BitLocker requires a static password. BitLocker FDE does not support more sophisticated authentication methods such as challenge-response. However, we can a) configure the YubiKey to create a long, secure password, and b) augment the password stored on the YubiKey with a memorized prefix (or postfix, if you prefer).
Use with or without a Trusted Platform Module
The TPM in my computer is the primary protection for the BitLocker keys. These keys, in turn, are protected by a 6-20 character PIN that needs to be input at startup. This so-called PIN may also include non-number characters, i.e. letters.
If your computer does not have a TPM, additional steps are required to use BitLocker. How-To Geek provides detailed and helpful instructions on BitLocker setup with and without a TPM. Without a TPM, the password (as opposed to the PIN used in conjunction with a TPM) can and should be longer than 20 characters. Do not be fooled into thinking that the non-TPM option is therefore more secure; it is definitely not.
Configuring the YubiKey
Plug your YubiKey into a free USB port and open the YubiKey Personalization Tool. Follow the next steps as described in these screenshots.
- Pick the slot into which you want to write the PIN/password.
- I used two YubiKeys to have a backup, so I checked “Program Multiple YubiKeys” and had them automatically written to. It is important to use “Fixed parameters” for the Parameter Generation Scheme, otherwise your backup YubiKey would store a different password.
- I chose to protect the configuration for slot 1. This is not a security feature, but helps against accidental deletion of your configuration.
- Depending on whether you use a BitLocker PIN (with a TPM) or a password (without a TPM), chose the proper password length. I use a PIN, which has a 20 character limit as described above. In this example, my memorized prefix would have four characters and the rest of the PIN stored on the YubiKey has 16 characters.
- Check these boxes to include upper- and lowercase letters and the full alphanumeric set of characters.
- Click “Generate” next to each active field. Each time, the Personalization Tool will create a different identity. Note that this is not the password that is later written to the YubiKey – the Personalization tool never shows you that.
- When you are satisfied with your settings, click “Write Configuration”. You will receive a confirmation that it worked. If you are programming multiple YubiKeys, you can now disconnect the first and plug in the next YubiKey.
- Each YubiKey you write to will show up on a new line in the “Results” field.
How-To Geek provides detailed and helpful instructions on BitLocker setup. The following shows the steps where the YubiKey is used.
Click “Next” and BitLocker will continue its process of encrypting your drives. BitLocker will ask you to go restart your computer once to confirm that everything works. This is where you enter your PIN/password as you have done when you set it: Enter your prefix, insert your YubiKey, tap the YubiKey.
After this check and the encryption is done (which can take a long time), you can check the status of BitLocker in the Control Panel, on the command line and with PowerShell (both in Administrator mode) with the command “manage-bde -status”.