Technical Note - WAM Installation

advertisement
Technical Note
Gemalto .NET card and Bitlocker
Requirements:
•
•
.NET Smartcard with a certificate (Basic EFS in this case)
Windows Seven
Certificate Creation
From any Card Management System (Example: CLM)
1. Enroll a card with an EFS certificate.
Or create a self-signed certificate on windows Seven
2. Click Start, and then click Control Panel.
3. In Search Control Panel, type certificates, and then click Manage file encryption certificates.
4. The Encrypting File System wizard opens. Click Next.
5. Click Create new certificate, and then click Next.
6. Click a self-signed certificate stored on my smart card, and then click Next.
7. In the Microsoft Smart Card Provider dialog box, type your smart card personal identification
number (PIN) in the space provided, and then click OK.
8. After the certificate is created, you can choose to update previously encrypted files to use the new
certificate or click I'll update my encrypted files later to use the self-signed certificate only for
BitLocker. Make your choice as appropriate, and then click Next.
9. The wizard confirms the creation of the certificate. Click Close to close the wizard.
10. Use of self-signed certificates is disabled by default. You must modify the registry to
enable the use of self-signed certificates. To do this, open the Registry Editor, navigate
to the key HKLM\Software\Policies\Microsoft\FVE, and set the DWORD value
SelfSignedCertificates to 1.
Configuration of Bitlocker
1. To associate the object identifier (also known as OID) of this certificate with BitLocker, you need to
modify the associated Group Policy setting.
2. To open the Local Group Policy Editor, click Start, and then in the Search program and files box,
type gpedit.msc.
3. Under Computer Configuration\Administrative templates\Windows Components\BitLocker
Drive Encryption, click Validate smart card certificate usage rule compliance.
www.gemalto.com
Technical Note
Gemalto .NET card and Bitlocker
4. Click Enable, configure the Object identifier setting to match the object identifier of the certificate
you just created, and click OK to apply the settings. In this case, the OID for EFS certificate is
“1.3.6.1.4.1.311.10.3.4”
Use case
1. Right click on the data drive (the usage of smart card is impossible on the operating system drive)
and then select Turn on Bitlocker…
2. Select “Use my smart card to unlock the drive”
3. Remarks:
a. The machine can be switch off/on while encryption.
b. The next logon on the machine, you will the smart card to unlock the data drive.
www.gemalto.com
Download