How to set up Windows 10 BitLocker with a YubiKey

I use and advocate secure authentication, verification, and encryption methods. Naturally, I have used 2-Factor-Authentication for a long time wherever it is available (Google, Facebook, Dropbox, and many others). In addition, my computers and mobile devices use Full Disk Encryption, protecting my data at rest.

2-Factor Authentication enabled since 2013-01-19.

The YubiKey is a small USB device that augments different authentication methods to accomplish these tasks. I recently purchased two of YubiCo’s latest model, the YubiKey 4 to help me with 2FA and FDE.

My YubiKey 4

 

I could not find much entry-level information on how to set up a YubiKey with BitLocker, the FDE solution of the Windows operating system (specifically, Windows 10). YubiCo itself only offers a guide for developers of FDE software (PDF). To help others, the following sets out the steps I used to implement FDE on my Windows 10 computer with a YubiKey 4. This is partly based on a YubiCo forums post but includes more information.

My system uses the following:

Preparations

If you have never used BitLocker, How-To Geek provides detailed and helpful instructions – You will need to configure your YubiKey before you set up BitLocker. If you already use BitLocker, you can still use your YubiKey, but you will need to change your BitLocker PIN or password.

By the way:

I had already enabled BitLocker, but I used this opportunity to upgrade my encrypted drives from the default AES 128 algorithm to the more secure XTS AES 256 – Chris Hoffman wrote thorough instructions at How-To Geek (that article does not account for XTS AES. The procedure is exactly the same, however. Simply chose XTS AES 256 instead of regular AES 256). This step is entirely optional.

[DE: Es gibt auf Gunther’s Blog auch eine Anleitung auf Deutsch.]

You need to know that using the YubiKey for BitLocker requires a static password. BitLocker FDE does not support more sophisticated authentication methods such as challenge-response. However, we can a) configure the YubiKey to create a long, secure password, and b) augment the password stored on the YubiKey with a memorized prefix (or postfix, if you prefer).

Use with or without a Trusted Platform Module

The TPM in my computer is the primary protection for the BitLocker keys. These keys, in turn, are protected by a 6-20 character PIN that needs to be input at startup. This so-called PIN may also include non-number characters, i.e. letters.

If your computer does not have a TPM, additional steps are required to use BitLocker. How-To Geek provides detailed and helpful instructions on BitLocker setup with and without a TPM. Without a TPM, the password (as opposed to the PIN used in conjunction with a TPM) can and should be longer than 20 characters. Do not be fooled into thinking that the non-TPM option is therefore more secure; it is definitely not.

 Configuring the YubiKey

Plug your YubiKey into a free USB port and open the YubiKey Personalization Tool. Follow the next steps as described in these screenshots.

YubiKey Personalization Tool - step 1, Static Password

Click on “Static Password”, then “Advanced”.

YubiKey Personalization Tool - step 2, Static Password configuration

  1. Pick the slot into which you want to write the PIN/password.
  2. I used two YubiKeys to have a backup, so I checked “Program Multiple YubiKeys” and had them automatically written to. It is important to use “Fixed parameters” for the Parameter Generation Scheme, otherwise your backup YubiKey would store a different password.
  3. I chose to protect the configuration for slot 1. This is not a security feature, but helps against accidental deletion of your configuration.
  4. Depending on whether you use a BitLocker PIN (with a TPM) or a password (without a TPM), chose the proper password length. I use a PIN, which has a 20 character limit as described above. In this example, my memorized prefix would have four characters and the rest of the PIN stored on the YubiKey has 16 characters.
  5. Check these boxes to include upper- and lowercase letters and the full alphanumeric set of characters.
  6. Click “Generate” next to each active field. Each time, the Personalization Tool will create a different identity. Note that this is not the password that is later written to the YubiKey – the Personalization tool never shows you that.
  7. YubiKey Personalization Tool - step 3, write in configuration slot 1

    If you write the password to configuration slot 1, the YubiKey Personalization Tool will ask you to confirm this step. Just make sure you had not anything in that slot before.

  8. When you are satisfied with your settings, click “Write Configuration”. You will receive a confirmation that it worked. If you are programming multiple YubiKeys, you can now disconnect the first and plug in the next YubiKey.
  9. Each YubiKey you write to will show up on a new line in the “Results” field.

Configuring BitLocker

How-To Geek provides detailed and helpful instructions on BitLocker setup. The following shows the steps where the YubiKey is used.

BitLocker step 1 - password entry

While setting up BitLocker, you will be asked for a PIN or password. First, type your memorized prefix.

BitLocker step 1 - password entry

Then, still in the same PIN/password field, insert your YubiKey and tap it. It will then fill in the password it stores.

BitLocker step 3 - password entry 3

Repeat this step with the password confirmation/reentry field. First, type your prefix, then tap your YubiKey to insert its stored password. (If you prefer a postfix password, reverse the process: Tap the YubiKey first, then write your postfix.)

Click “Next” and BitLocker will continue its process of encrypting your drives. BitLocker will ask you to go restart your computer once to confirm that everything works. This is where you enter your PIN/password as you have done when you set it: Enter your prefix, insert your YubiKey, tap the YubiKey.

After this check and the encryption is done (which can take a long time), you can check the status of BitLocker in the Control Panel, on the command line and with PowerShell (both in Administrator mode) with the command “manage-bde -status”.

PowerShell manage-bde -status

2 thoughts on “How to set up Windows 10 BitLocker with a YubiKey

  1. Thanks for sharing, great explanation. What happens after you’ve enabled Bitlocker? Does logging into windows unlock the drive, or does that happen during boot? I’m just wondering at what point the Yubikey comes back into play.

    • Thank you, I’m glad this is helpful.

      BitLocker operates and decrypts the drive before the Operating System boots up. So the YubiKey comes into play right after you press the power button. The YubiKey simply holds one part of the passphrase (or “PIN”, as Microsoft calls ist), the other part is your memorized prefix (or postfix). Upon boot, BitLocker shows you a simple screen with a password/PIN prompt; this is when you enter your prefix, insert the YubiKey, and tap it to complete the password/PIN. The OS then completes its boot. Logging into Windows comes later and is not related to encrypting the BitLocker drive.

      Does this help?

What do you think?