To lock a BitLocker-secured drive using a GoldKey smart card, you must have a certificate that is valid for BitLocker, and self-signed certificates must be enabled for BitLocker.
Start by enabling self-signed certificates. Click Start and enter “regedit” into the Search programs and files box. Under the HKLM\Software\Policies\Microsoft\FVE key, create a new DWORD called “SelfSignedCertificates”, with a value of 1.
Using notepad or another text editor, save the following text as certrequest.txt on your desktop:
[NewRequest]
Subject = “CN=BitLocker”
KeyLength = 1024
Exportable = TRUE
KeySpec = “AT_KEYEXCHANGE”
KeyUsage = “CERT_KEY_ENCIPHERMENT_KEY_USAGE”
KeyUsageProperty = “NCRYPT_ALLOW_DECRYPT_FLAG”
RequestType = Cert
SMIME = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1
Next, you will need to open the command prompt to create the certificate. Click Start and type “cmd” into the Search programs and files box. When the command prompt appears, right-click on its icon and select “Run as administrator.” From the command prompt, enter the following commands:
cd %UserProfile%\Desktop
CertReq -new certrequest.txt
You will be asked to save the request as a file; save it as certrequest.req on your desktop.
Open the Microsoft Management Console by entering “mmc” into the Search programs and files box. From the File menu, select “Add/Remove Snap-in,” and then add Certificates from the list on the left. You may be asked which account you would like to manage, select “My user account” and click Finish.
Under Certificates – Current User\Personal\Certificates you will find a new certificate called “BitLocker.” Right-click on this certificate and select Export from the All Tasks submenu, then follow the Certificate Export Wizard to save the certificate as BitLocker.pfx on your desktop.
Note: To export a certificate as a PFX file, you must export the private key.
Instructions to load a certificate onto a GoldKey from a PFX file can be found in the online manual.