Why can't I add an elliptic curve certificate (smartcard, Yubikey, piv) as protector to a BitLocker protected partition?

Question

Yubikey as SmartCard

I have been using a SmartCard (Yubikey 4, PIV interface) with RSA certificate to unlock BitLocker protected drives. The certificates are self-signed and generated by the Encrypted File System (EFS) wizard. The OID-number of EFS was added to Group Policy entry so I can use them for BitLocker. (Method)

This is working fine for a few years now, but I have no control over the attributes of the certificate generated by EFS's wizard. I cannot choose the type of keys nor the signature algorithm which is sha1 by default. (I have not explored if one can influence the attributes via the registry or GPO as using EFS wizzard is already a side-step itself.)

So I used Powershell to generate more modern certificates. I tried to use Curve25519, Windows seemed to have it in the available curve list(certutil -displayEccCurve), but unfortunately I was unable to generate a certificate with that curve. I tried brainpoolP384r, which worked, but I had to consider Yubikey's compatibility so from the spec I used secP256r1.

Generate Curve Cert

New-SelfSignedCertificate -Type Custom -Subject "CN=Test1-Curve-Cert"
-TextExtension @("2.5.29.37={text}1.3.6.1.4.1.311.10.3.4","2.5.29.17={text}[email protected]")
-KeyUsage KeyEncipherment -KeyAlgorithm ECDSA_secP256r1 -HashAlgorithm sha256 -CurveExport CurveName -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddDays(14)

###Generate RSA Cert (Control group):

New-SelfSignedCertificate -Type Custom -Subject "CN=Test2-RSA-Cert" -TextExtension @("2.5.29.37={text}1.3.6.1.4.1.311.10.3.4","2.5.29.17={text}[email protected]") -KeyUsage KeyEncipherment -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm sha256 -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddDays(14)

##The Questions:

Why can't I add an elliptic curve certificate (smartcard, yubikey, piv) as protector to BitLocker?
Why does the ECC certificate not appear in Window's certificate manager (cert:\currentuser\my) after adding the SmartCard (but it does with RSA certificates)?
Why is manage-bde command providing a seemingly unrelated error ("ERROR: Only the OS volume may be secured with the TPM.") when trying to add a certificate with the command below?

PS ..> manage-bde D: -protectors -add -certificate -tp 39839dd3(...) 
BitLocker Drive Encryption: Configuration Tool version 10.0.18362 
Copyright (C) 2013 Microsoft Corporation. All rights reserved.    
    ERROR: Only the OS volume may be secured with the TPM.

What? I am not doing anything with the TPM, why I am getting an error about that? Secondly, this is all about data partition, I am not even touching the System/OS partition, not even the system drive! It is far from what I am doing, I am not even sure how to debug this.

##After Cert generation - Importing into Yubikey The Powershell command exports the cert into the Current User Certificate Store.

I export the certificate as PFX file, with the public and private part.
I delete the cert from the User Certificiate Store in Windows.
Via the Yubikey Manager I import the certificate and after providing the appropriate credentials the import is reported as successful.
I then use a special command from the Yubico-piv-tool to get the new identifier for my yubikey: .\yubico-piv-tool.exe --action="set-chuid" --key="{managementkey}" Otherwise there is a chance due to caching old certs start showing up or other weird behaviour.
I remove the Yubikey and connect it again. You can also check on the status and the new CHUID with .\yubico-piv-tool.exe -a status.

The diverging part - Current User Certificate Store:

Now when I execute these steps with a RSA cert, as soon as I connect the Yubikey again, the certificate shows up in the Current User Certificate store.

Side note:

They are confusingly indistinguishable from a certificate that is completely in the store, but if you try to export such a smartcard certificate, you might get interaction with the smartcard which will not go anywhere. I recognize my smartcard certs because I cannot export the private key part. If it was the original certificate, I would have been able to export it (because certs generated by me are exportable, so this is not always a foolproof way). If it public cert, the tiny icon in the front of the cert has no key next to it. There is no unique icon for Certificates on smartcards. Removing the smartcard will not remove the cert-stub, it will remain.

However, when I do exactly the same with an ECC cert, when I connect the Yubikey again, the certificate does not show up.

Why? (Question 2).

Adding the certificate as protector to the BitLocker protected drive (Mouse):

I go the 'manage BitLocker' via the Windows Explorer.
I click on 'Add SmartCard'.

2nd Diverging part - Windows Explorer

When I had 1 RSA cert loaded on the SmartCard, it would simply add it. With manage-bde D: -protectors -get -type certificate one can verify the certificate thumbprint.
When I had 2 RSA certs loaded on the SmartCard, it would prompt me to choose! This was a nice surprise.
When I have 1 RSA and 1 ECC cert loaded on the SmartCard, it would simply add the RSA one, it would not offer me to choose.

Why? (Question 1) Is BitLocker simply incompatible with ECC certs? I found an old article about Certificate attributes, but it does not say anything about type of crypto. Looking at BitLocker and (self-signed) Certificates in Windows 10, information seems to be non-existent. I am experiencing difficulty finding information about manage-bde DRIVE: -protectors -add -certificate -tp (...) in Windows 10 documentation, only some old documentation. There is not even an equivalent PowerShell command. I don't know why. (Timestamped 1st of May 2020.)

Adding the certificate as protector to the BitLocker protected drive via Command Line:

I used manage-bde D: -protectors -add -certificate -tp 39839dd3(..ECC cert tp..). It would not add the certificate and provides an error: Only the OS volume may be secured with the TPM. (?!)
I tried again with the RSA cert thumbprint, and it would also not add the certificate.

I have used the command in the past so I am confused twice; by the Windows' GUI which will add the RSA one, but not the ECC one, but the commandline won't add any certificate anymore and complains about seemingly irrelevant parts like the OS partition and the TPM.

Why? (Question 3).

Wrap up

I am asking all these question to answer the bigger one: How to use a yubikey smartcard (piv) in a safe and secure way to unlock BitLocker protected drives (on standalone computers)? Asking that question in the title might be a bridge too far, that is why I formulated the questions related to the problems I have encountered. Any light you might shed on these questions are most welcome, but if you want so share other solution vectors to the bigger problem, feel free to let me know.

Even though the ECC cert & BitLocker is a bust for now, the provided RSA cert generation allows me to generate a better RSA certificate with my own chosen attributes; a better one than EFS' cert. I might even choose BitLocker's OID again so I don't have to update the GPO.

Site note 2:

The reason I use a smartcard+pin is because I think it is more secure (and more convenient) than a password. You could also put a static password on your Yubikey, concatenate it and use that with BitLocker, but I leave you to your own thoughts about what is more secure. - In my 'research' I also stumbled upon someone making a Virtual SmartCard. That one obviously isn't mobile, but it is a way to extend TPM's security to Data drives. Auto-unlock puts the secrets of Data Drives in windows registry on the Windows partition. The Windows partition's secrets are in the TPM (and possibly your mind and a usb startup key). If you add a Virtual SmartCard to your TPM and with that add certificate BitLocker-protectors to your data drives, the secrets are in (your virtual smartcard in) your TPM and the PIN in your mind. At least, that is the status quo from my understanding; a possible future project. Though in that case the ECC question remains valid too.

(I might update this post with more links for those who want to read the stack of sites I had to gather.--Done, first revision.)

Additional info

Which I might extend:

TPM: yes (though that should not matter for this case.)
OS: Windows 10 1909
Yubikey 4

I don't know why you cannot. There are guides for securing Bitlocker using Yubikey going back years. Have you followed these? — music2myear, May 03 '20 at 03:33
@music2myear yes, as mentioned successfully with an EFS cert or Selfsigned RSA cert, but not an ECC cert. — A71, May 03 '20 at 07:22
Searching _BitLocker+ECC_ on [Microsoft Docs](https://docs.microsoft.com/en-us/search/?terms=bitlocker%2Becc&scope=Windows%2010) only returns three results, inferring ECC may only be compatible with BitLocker when using a TPM. You may want to reach out to Microsoft directly via the [Spiceworks](https://community.spiceworks.com/) forum, as Microsoft has vendor reps [Microsoft tech employees] who monitor the Spiceworks forum daily and actively engage within threads. — JW0914, Feb 04 '22 at 21:29