Bitlocker and Smart Card Certificates

User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Bitlocker and Smart Card Certificates

Post by BobH »

Stuart's post started me looking into encryption, a topic I'm sad to admit I've ignored.

It seems that one can encrypt entire hard drives and portable storage devices using Bitlocker which is built into windows, and all files saved from apps will be intercepted and encrypted. As I understand it, Bitlocker uses one (or more?) encryption keys that the user must establish. If one encrypts entire drives - as I think I'll do - then one must obtain and manage an authentication certificate. As I understand it, Bitlocker is Windows only and will not allow files encrypted by it to be decrypted by a Mac or other os. That doesn't matter to me as I don't have the need to share any files with anyone on that platform.

I think the certificate is used when one starts Windows. Reference is made to using a 'smart card' to automate providing the certificate. I think of smart cards as the plastic things in one's wallet that have a chip to store data. I don't have a card reader. I tried to learn if a thumb drive can be used to store the certificate and perform as a 'smart card'. I didn't find an answer.

Does anyone know if a USB thumb drive can store the Bitlocker certificate and if it can be used to answer Bitlocker's need for the certificate?

I plan to store the Bitlocker certificate on my iOS devices, carefully disguised, of course. Should I also keep a copy on paper?

What have I missed or misunderstood about using Bitlocker? Is a third party app a better choice? Why or why not? What else should I know about Bitlocker or about encrypting files generally.

:cheers: :chocciebar: :thankyou:
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
stuck
Panoramic Lounger
Posts: 8435
Joined: 25 Jan 2010, 09:09
Location: retirement

Re: Bitlocker and Smart Card Certificates

Post by stuck »


User avatar
StuartR
Administrator
Posts: 12808
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Bitlocker and Smart Card Certificates

Post by StuartR »

I use Veracrypt on my PCs as I only want to encrypt my data partitions, not the OS.
StuartR


User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Bitlocker and Smart Card Certificates

Post by BobH »

Does Veracrypt work with iOS and Linux?
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
stuck
Panoramic Lounger
Posts: 8435
Joined: 25 Jan 2010, 09:09
Location: retirement

Re: Bitlocker and Smart Card Certificates

Post by stuck »

Ask Google:
    https://www.google.com/search?client=fi ... d+Linux%3F

:whisper: the answer seems to be yes.

Ken

User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Bitlocker and Smart Card Certificates

Post by BobH »

I've installed Veracrypt. I'm working through the tutorial. I brought up Disk Management to guide me through choices. I re-discovered that my OS resides on Disk C: where many other files reside.

Can anyone suggest how to isolate the OS, Windows 11 Pro, by removing unrelated files to a different location? Should that location be a partition or a separate drive? As I understand it, VC can be made to bypass the location but I want non-windows related files to be encrypted. It seems to me that the easiest way to do so would be to move non-Windows files to a different partition. Can it be as simple as creating a new folder for all non-Windows files? The VC tutorial shows, for example, C:/Data/files as the location for VC to encrypt.
DM for VC.png
FWIW, I have a number of other USB drives, each having its own drive letter. One of them is a 1TB drive in an enclosure connected by USB. I'll have to find an unused letter if I create a data partition separate from the Windows partition.
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Bitlocker and Smart Card Certificates

Post by BobH »

Re-reading the VC tutorial, it seems that the encrypted container must be a volume, ie, it must be a drive letter. The tutorial uses M:/. I'm a bit troubled by choosing the size of the container for encryption. The tutorial shows 250MB allocated. This seems quite small to me. At one point it describes the container as a virtual device. This, too, confuses me. How can data stored on a virtual drive - ie, not a real one - exist. Virtual to me, means not real and tangible; but perhaps I don't have an appropriate vocabulary and understanding of its use.

In separating Windows files from data, I looked at File Explorer. On the C: drive there is a Windows folder. Does this contain all the files that need not be encrypted as Stuart chooses? What should one do about Program Files? Are there other folders or contents that could be placed with the OS to avoid encrypting them? If I want to encrypt data on my removable drives (thumb drives, cards, external hard drives, etc.) must I create encryption containers on each of them?

I'm beginning to wonder if encryption will entail vagaries with which my aging brain cannot cope.
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs