This project has moved. For the latest updates, please go here.

How do keyfiles work with pre-boot authentication/system encryption?

Topics: Users Discussion
May 16, 2016 at 9:06 PM
Edited May 16, 2016 at 11:00 PM
The documentation says I can mount system favourites at boot time providing they use the same password as the system drive. Is this still possible if the non-system drives have keyfiles as part of the authentication too?
May 17, 2016 at 4:55 AM
Edited May 17, 2016 at 4:56 AM
Is this still possible if the non-system drives have keyfiles as part of the authentication too?
No since system encryption does not include keyfiles.

https://veracrypt.codeplex.com/wikipage?title=Keyfiles%20in%20VeraCrypt
May 28, 2016 at 3:18 PM
Enigma2Illusion wrote:
Is this still possible if the non-system drives have keyfiles as part of the authentication too?
No since system encryption does not include keyfiles.

https://veracrypt.codeplex.com/wikipage?title=Keyfiles%20in%20VeraCrypt
There's actually hope that it will in the future: https://veracrypt.codeplex.com/discussions/645634

idrassi wrote:
The only real extra protection is through the use of a smart card and asymmetric encryption as proposed by thobarth: instead of having the master key encrypted only by the password derived key, a second encryption layer would be added by using RSA or Elliptic Curve public key encryption.
Thus, the RSA/ECC private key on the smart card/token will be needed to first decrypt a blob of data and the result will then be processed by the password derived key in order to obtain the master key.

Thanks to approach, an attacker would need to have access to both the smart card and the password in order to decrypt the data, even if he used some custom made software since the asymmetric decryption can not be bypassed.

Actually, integrating asymmetric encryption through smart cards in VeraCrypt has been on the road-map since the beginning of the project because my main field of expertise has always been around smart cards. My current idea is that such feature will be implemented as an "Entreprise" type feature that would come in the form of a plugin.

For now, nothing has started yet on this but a decision will be made in the coming months on how this should be handled. Such development is not trivial and it requires significant changes and work so one possibility would be to offer such feature for a fee or at least have some kind of funding to implement it.