Skip to content

Instantly share code, notes, and snippets.

@daemonhorn

daemonhorn/Windows EFS PIV Yubikey.md

Last active April 7, 2024 15:00
Show Gist options
  • Save daemonhorn/03301a66da7d1f4de6cdc8c8bbd171da to your computer and use it in GitHub Desktop.
Save daemonhorn/03301a66da7d1f4de6cdc8c8bbd171da to your computer and use it in GitHub Desktop.
Download ZIP
Using PIV Smartcard and Yubikey with Windows Encrypting Filesystem
Raw
Windows EFS PIV Yubikey.md

Yubikey 5 Win 10 20H2 x64 Pro PIV EFS Setup

Overview

PIV on Yubikey can be utilized for SSH authentication, Windows OS login authentication, NTFS Encrypted File System (EFS) support, Bitlocker and other use cases. The examples below are using self-signed certificates and keys generated on the Yubikey secure element, but can be customized for an enterprise environment with a root CA/intermediate CA and trusted certificate chains as needed. Note: While using a CA allows for easier scalable management, this also increases the required ring of trust, and thus can potentially decrease security if not managed properly.

Requires: Windows 10 Pro (20H2 used in the document, but will work on earlier versions of Pro), Yubikey 4 or 5 security token.

PIV References: NIST: https://csrc.nist.gov/publications/detail/sp/800-73/4/final Yubico PIV Setup: https://developers.yubico.com/PIV/Guides/Device_setup.html Ykman CLI Manual: https://support.yubico.com/hc/en-us/articles/360016614940-YubiKey-Manager-CLI-ykman-User-Manual Yubico PIV Info: https://developers.yubico.com/PIV/ Microsoft Encrypted File System (EFS):: https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc875821(v=technet.10)

Configure

NTFS Encrypted File System (EFS) Configuration with secure PIV smartcard lock, touch policy, pin policy:

  1. Download and install latest Yubikey software https://www.yubico.com/downloads Yubikey Manager (on machine for initial configuration of PIV applet and yubikey) Yubikey x64 minidriver (on machine(s) for actual use with the NTFS Encrypted File System (EFS)
  2. Configure the hardware device and lock configuration with a key. Customize as needed. Nothing wrong with leaving additional Yubikey functionality enabled, just locking down to only required PIV function via USB for this example. Open a command prompt (cmd.exe), and navigate to the Yubikey Manager folder (cd "%programfiles%\Yubico\Yubikey Manager") ykman config nfc --disable-all ykman config usb --disable-all ykman config usb --enable PIV ykman config set-lock-code --generate (save the generated key somewhere safe in case you want to change the configuration in the future) ykman info (verify configuration before continuing)
  3. Configure PIV pin, puk, management key, ccc, chuid (See Appendix for batch file example when doing this) ykman piv change-management-key --protect --generate ykman piv change-pin --pin 123456 --new-pin XXXXXX ykman piv change-puk --puk 12345678 --new-puk XXXXXXXX ykman piv set-ccc --pin XXXXXX ykman piv set-chuid --pin XXXXXX ykman piv info (verify configuration before continuing)
  4. Configure Slot 9A key and certificate with touch and pin policy ykman piv generate-key --pin XXXXXX --algorithm rsa2048 --pin-policy once --touch-policy always 9A c:\Users\<username>\Y5-PIV-9a.pub ykman piv generate-certificate --pin XXXXXX --subject user-efs-y5-rsa 9a c:\Users\<username>\Y5-PIV-9a.pub
  5. Generate and configure host with EFS Recovery Agent Key (optional) Open command prompt Insert Yubikey (should be separate from primary user yubikey). Requires pre-configuring (step 3) Run: cipher /R:EFSRA /SMARTCARD At PIN prompt, enter pin Private key will be on Yubikey slot 9d, public cert will be in current working folder named EFSRA.CER
  6. Configure Windows 10 Group Policy gpedit.msc (must be admin) Local computer policy Computer configuration->Windows Settings->Security Settings->Public Key Policies->Encrypting File System Right Click, choose Properties Choose Allow EFS Choose Require SmartCard (optional) RIght Click on Encrypting FIle System, and choose “Add Data Recovery Agent” Browse to the EFSRA.CER certificate created in Step 5
  7. Configure Windows 10 EFS (Requires NTFS filesystem) Install latest Windows OS minidriver from https://www.yubico.com/downloads If you are going to be using RDP with passthrough smartcard, there are things that are required for legacy mode to ensure the right driver gets loaded on both the client and the server (e.g. add INSTALL_LEGACY_MODE=1 /passive to MSI driver package install command line for both installs) Remove Yubikey if already inserted Insert Yubikey and let driver finish enumeration before continuing Go to Control Panel -> Manage File Encryption Certificates Wizard Choose “Select Certificate Button”, then select the -y5-rsa2048-9a certificate Enter the PIN code when prompted Touch the gold disk on the Yubikey physical token when it starts blinking Click “Next” Choose “I’ll update my encrypted files later”, then done. From Windows explorer, open the folder you want to encrypt (do not make this your top-level documents folder or you may break user experiences in many apps, but a sub-folder is generally ok). e.g.: c:\users\user1\documents\protected Right click on the folder (e.g. protected) Uncheck the option to “Allow files in this folder to have contents indexed” Check the “Encrypt contents to secure data”. Click OK.

When prompted choose “Apply changes to this folder, subfolders, and files”. Select OK. You should be done. Now attempt to open a file in the encrypted folder, and you should be prompted for the PIN the first time, then touch for every following read or write to the encrypted folder. Removing the yubikey locks the folder and requires the token to be inserted, and PIN to be provided again. There are other ways to setup this policy (including cached mode which allows access for 15 seconds without reconfirming with additional touch action), but this way is a “reasonable” compromise for securing sensitive data.

TODO

  1. Make documentation formatting easier to read, move images from original screenshots/word doc.
  2. Determine why ECC EFS certificates are not honored regardless of generation point (ykman certificate generation vs Windows Encrypting File System wizard generation). Group policy here does not do what is expected or documented. Might be attestation related or PEBKAC error.
  3. Determine if attestation certificate is required (post slot 9a generation)
  4. Determine if this works from any certificate slot (likely)
  5. Determine instructions for using Windows CA in Active Directory for root of trust
  6. Determine AD GPO changes for enterprise domain attached machines
  7. Document cipher command line for encrypting/decrypting
  8. Document cipher recovery agent usage process

Appendix:

(Batch file to automate setup) For obvious reasons, update your PIN and PUK variable data before executing. I also recommend customizing the OU Company name.

@echo off
SET PIN="112233"
SET PUK="11112222"
SET OU="My_Company"
SET ALGO="rsa2048"
SET SLOT="9a"
echo Deleting all Yubikey PIV keys in all slots...  Hit Control+C to abort, otherwise
pause
ykman piv reset --force
ykman piv change-management-key --protect --generate --pin 123456 --management-key 010203040506070801020304050607080102030405060708
ykman piv change-pin --pin 123456 --new-pin %PIN%
ykman piv change-puk --puk 12345678 --new-puk %PUK%
ykman piv set-ccc --pin %PIN%
ykman piv set-chuid --pin %PIN%
ykman piv generate-key --pin %PIN% --algorithm %ALGO% --pin-policy once --touch-policy always %SLOT% %userprofile%\Y5-PIV-%SLOT%.pub
ykman piv generate-certificate --pin %PIN% --subject %username%-y5-%ALGO%-%SLOT%@%OU% %SLOT% %userprofile%\Y5-PIV-%SLOT%.pub
ykman piv info >%userprofile%\Y5-PIV-%SLOT%-info.txt
type %userprofile%\Y5-PIV-%SLOT%-info.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment