To lock a BitLocker-secured drive using a GoldKey smart card, you must have a certificate that is valid for BitLocker, and self-signed certificates must be enabled for BitLocker.
Start by enabling self-signed certificates. Click Start and enter “regedit” into the Search programs and files box. Under the HKLM\Software\Policies\Microsoft\FVE key, create a new DWORD called “SelfSignedCertificates”, with a value of 1.
Using notepad or another text editor, save the following text as certrequest.txt on your desktop:
Subject = "CN=BitLocker"
KeyLength = 1024
Exportable = TRUE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
Next, you will need to open the command prompt to create the certificate. Click Start and type “cmd” into the Search programs and files box. When the command prompt appears, right-click on its icon and select “Run as administrator.” From the command prompt, enter the following commands:
CertReq -new certrequest.txt
You will be asked to save the request as a file; save it as certrequest.req on your desktop.
Open the Microsoft Management Console by entering “mmc” into the Search programs and files box. From the File menu, select “Add/Remove Snap-in,” and then add Certificates from the list on the left. You may be asked which account you would like to manage, select “My user account” and click Finish.
Under Certificates – Current User\Personal\Certificates you will find a new certificate called “BitLocker.” Right-click on this certificate and select Export from the All Tasks submenu, then follow the Certificate Export Wizard to save the certificate as BitLocker.pfx on your desktop.
Note: To export a certificate as a PFX file, you must export the private key.
Instructions to load a certificate onto a GoldKey from a PFX file can be found in the online manual.