BitLocker/PersonalUse: Difference between revisions

From UMIACS
Jump to navigation Jump to search
No edit summary
No edit summary
Line 7: Line 7:
* A [https://www.yubico.com/product/yubikey-5-nfc YubiKey security token]. Other security tokens may work, but this procedure will focus on using a YubiKey.
* A [https://www.yubico.com/product/yubikey-5-nfc YubiKey security token]. Other security tokens may work, but this procedure will focus on using a YubiKey.


==Procedure==
==Initializing the YubiKey and hard drive==
# Download and install the [https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/ YubiKey personalization tool (graphical version)].
# Download and install the [https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/ YubiKey personalization tool (graphical version)].
# Insert your YubiKey into any USB slot and launch the personalization tool. Select Static Password at the top and then Advanced.
# Insert your YubiKey into any USB slot and launch the personalization tool. Select Static Password at the top and then Advanced.
Line 48: Line 48:
# '''Delete the recovery key text file (NOT the database you just created).''' Then also delete it from the Recycle Bin. If you leave the recovery key text file in the open, your encrypted portable hard drive is only as secure as that file is (the text file is not encrypted and has no password to protect it).
# '''Delete the recovery key text file (NOT the database you just created).''' Then also delete it from the Recycle Bin. If you leave the recovery key text file in the open, your encrypted portable hard drive is only as secure as that file is (the text file is not encrypted and has no password to protect it).
#: [[File:Cleanup1.png]]
#: [[File:Cleanup1.png]]
# (Optional) Make a copy of the database on another USB storage device(s), such as a flash drive(s), to create another recovery backup(s). Otherwise, you '''must remember to move this recovery file when you replace the computer the database file is on'''. You will also need to install KeePassXC on any other computer that you need to open the database on.
#: [[File:Cleanup2.png]]
==Extras==
===Set up Auto-unlock===
BitLocker has the ability to auto-unlock a drive for a specific user(s) when plugged into a specific computer(s) if so desired. We recommend this only if the user account(s) that you turn it on for are secure (e.g. have sufficiently complex passwords), if the computer(s) that you turn it on for are in secure locations, and if you anticipate moving the hard drive around frequently.
To enable auto-unlock for a drive (per user per computer):
To be continued.
===Set up backup via File History===
One of the more useful things you may want to do with a BitLocker-encrypted portable hard drive is set up automatic backup to it. This can be done with Windows 10's built-in backup tool, [https://support.microsoft.com/en-us/help/4027408/windows-10-backup-and-restore File History].
To enable File History for your encrypted portable hard drive:


To be continued.
To be continued.

Revision as of 20:28, 2 January 2020

Overview

BitLocker can be used on fixed hard drives (i.e. internal to your computer) as well as on portable hard drives (i.e. USB). If you want to hold a secure, offline copy of files that you want to be preserved, BitLocker To Go with a portable hard drive with data to be stored and a hardware token as the key can be used together to do so.

Prerequisites

  • A portable hard drive formatted with an NTFS, FAT16, FAT32, or exFAT file system.
  • Any desktop edition of Windows 10 except Home. BitLocker encryption is not included as a feature of Windows 10 Home, though encrypted drives can still be accessed via Windows 10 Home.
  • A YubiKey security token. Other security tokens may work, but this procedure will focus on using a YubiKey.

Initializing the YubiKey and hard drive

  1. Download and install the YubiKey personalization tool (graphical version).
  2. Insert your YubiKey into any USB slot and launch the personalization tool. Select Static Password at the top and then Advanced.
  3. Select Configuration Slot 2 and change the password length to 48 chars. Then click all three Generate buttons in order to generate the identities and the secret key and finally Write Configuration. You do not need to save the .csv file that pops up. Ensure that "YubiKey has been successfully configured" is output in the Results window, and then click Exit in the top right to exit the tool.
  4. Insert your portable hard drive into any USB slot and search Bitlocker in the start menu to open the Manage BitLocker control panel item.
  5. Expand Removable data drives - BitLocker To Go by clicking the arrow on the right and then click Turn on BitLocker on the portable hard drive.
  6. BitLocker will initialize for a few seconds and then pop up with a menu asking how you want to unlock the drive. Choose Use a password to unlock the drive and physically touch the YubiKey's sensor for 3 seconds to get it to output the password you configured previously (twice, one for each password field).
  7. The menu should automatically advance to asking how you want to back up the recovery key. The recovery key is the only way to get into the encrypted drive if you lose the YubiKey. We strongly recommend the Save to a file option for reasons that we will get into. If you choose to print out the recovery key, store it somewhere safe such as a safe deposit box.
  8. Choose to save the file somewhere on the C drive of the computer you are using to run BitLocker, such as your Documents folder.
  9. Leave the default option of Encrypt used disk space only on unless you previously had sensitive data stored on this drive before formatting it as part of the prerequisites.
  10. Leave the default of Compatible mode to better ensure the files on the encrypted drive will be readable from other devices if need be.
  11. Continue through the menus and finally choose to Start encrypting.
  12. BitLocker will begin encrypting and a separate window will pop up to show you the status. This step should complete very quickly if the drive is empty, but may take additional time if there are already files on it. You do not have to wait for encryption to complete to proceed with the remaining steps, but you do need to wait for encryption to complete before disconnecting the portable hard drive from the machine.
  13. Download and install KeePassXC Password Manager.
  14. Launch KeePassXC and choose to Create new database.
  15. Choose descriptive phrases for the Database Name and Description and click Continue.
  16. Leave all the options on the next menu at default and click Continue.
  17. Choose a memorable password and click Done.
  18. Choose to save the file in the same location that you chose to save the recovery key text file in.
  19. In your newly created database, choose to Add a new entry from the top pane.
  20. Make the Title something memorable. Open the recovery key text file saved earlier, copy the Identifier into the Username field and the Recovery Key into the Password/Repeat fields. Leave some descriptive text in the Notes section to help clarify which fields are which of the BitLocker attributes. Click OK and then exit out of the database back on the main menu.
  21. Delete the recovery key text file (NOT the database you just created). Then also delete it from the Recycle Bin. If you leave the recovery key text file in the open, your encrypted portable hard drive is only as secure as that file is (the text file is not encrypted and has no password to protect it).
  22. (Optional) Make a copy of the database on another USB storage device(s), such as a flash drive(s), to create another recovery backup(s). Otherwise, you must remember to move this recovery file when you replace the computer the database file is on. You will also need to install KeePassXC on any other computer that you need to open the database on.

Extras

Set up Auto-unlock

BitLocker has the ability to auto-unlock a drive for a specific user(s) when plugged into a specific computer(s) if so desired. We recommend this only if the user account(s) that you turn it on for are secure (e.g. have sufficiently complex passwords), if the computer(s) that you turn it on for are in secure locations, and if you anticipate moving the hard drive around frequently.

To enable auto-unlock for a drive (per user per computer):

To be continued.

Set up backup via File History

One of the more useful things you may want to do with a BitLocker-encrypted portable hard drive is set up automatic backup to it. This can be done with Windows 10's built-in backup tool, File History.

To enable File History for your encrypted portable hard drive:

To be continued.