This project has moved and is read-only. For the latest updates, please go here.

PKCS #11 for system encryption

Topics: Feature Requests
May 15, 2016 at 3:36 PM
Hi! :D

I would love to have a way for 2-factor authentication, using a YubiKey on an encrypted systemdrive. As for now thouh the only way (I know of) to do this, is to use a password consisting of a part you remember yourself and a part stored on the YubiKey. Keyfiles are still unusable on FDE systems and I'm missing this feature scince Truecrypt.

So, long question short:
Will there be a support for PKCS #11 SmartCard's on fully encypted systems any time soon?
May 28, 2016 at 3:56 PM
Edited May 28, 2016 at 4:16 PM
xoOPhoenixOox wrote:
Will there be a support for PKCS #11 SmartCard's on fully encypted systems any time soon?
I just had the same question:
I would like to use VeraCrypt together with the Nitrokey Pro.
When will this happen? What delays this feature? I strongly believe this will be a great security enhancement.

Edit: The answer can be found here:
idrassi wrote:
The only real extra protection is through the use of a smart card and asymmetric encryption as proposed by thobarth: instead of having the master key encrypted only by the password derived key, a second encryption layer would be added by using RSA or Elliptic Curve public key encryption.
Thus, the RSA/ECC private key on the smart card/token will be needed to first decrypt a blob of data and the result will then be processed by the password derived key in order to obtain the master key.

Thanks to approach, an attacker would need to have access to both the smart card and the password in order to decrypt the data, even if he used some custom made software since the asymmetric decryption can not be bypassed.

Actually, integrating asymmetric encryption through smart cards in VeraCrypt has been on the road-map since the beginning of the project because my main field of expertise has always been around smart cards. My current idea is that such feature will be implemented as an "Entreprise" type feature that would come in the form of a plugin.

For now, nothing has started yet on this but a decision will be made in the coming months on how this should be handled. Such development is not trivial and it requires significant changes and work so one possibility would be to offer such feature for a fee or at least have some kind of funding to implement it.