Technical Note Gemalto .NET card and Bitlocker Requirements: • • .NET Smartcard with a certificate (Basic EFS in this case) Windows Seven Certificate Creation From any Card Management System (Example: CLM) 1. Enroll a card with an EFS certificate. Or create a self-signed certificate on windows Seven 2. Click Start, and then click Control Panel. 3. In Search Control Panel, type certificates, and then click Manage file encryption certificates. 4. The Encrypting File System wizard opens. Click Next. 5. Click Create new certificate, and then click Next. 6. Click a self-signed certificate stored on my smart card, and then click Next. 7. In the Microsoft Smart Card Provider dialog box, type your smart card personal identification number (PIN) in the space provided, and then click OK. 8. After the certificate is created, you can choose to update previously encrypted files to use the new certificate or click I'll update my encrypted files later to use the self-signed certificate only for BitLocker. Make your choice as appropriate, and then click Next. 9. The wizard confirms the creation of the certificate. Click Close to close the wizard. 10. Use of self-signed certificates is disabled by default. You must modify the registry to enable the use of self-signed certificates. To do this, open the Registry Editor, navigate to the key HKLM\Software\Policies\Microsoft\FVE, and set the DWORD value SelfSignedCertificates to 1. Configuration of Bitlocker 1. To associate the object identifier (also known as OID) of this certificate with BitLocker, you need to modify the associated Group Policy setting. 2. To open the Local Group Policy Editor, click Start, and then in the Search program and files box, type gpedit.msc. 3. Under Computer Configuration\Administrative templates\Windows Components\BitLocker Drive Encryption, click Validate smart card certificate usage rule compliance. www.gemalto.com Technical Note Gemalto .NET card and Bitlocker 4. Click Enable, configure the Object identifier setting to match the object identifier of the certificate you just created, and click OK to apply the settings. In this case, the OID for EFS certificate is “1.3.6.1.4.1.311.10.3.4” Use case 1. Right click on the data drive (the usage of smart card is impossible on the operating system drive) and then select Turn on Bitlocker… 2. Select “Use my smart card to unlock the drive” 3. Remarks: a. The machine can be switch off/on while encryption. b. The next logon on the machine, you will the smart card to unlock the data drive. www.gemalto.com