Yubikey as storage for keyfile
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
How can Yubikey be used as storage for a keyfile?
When I enter PIN of Yubikey I get this screen https://www.imagevenue.com/ME1294XQ
What should I select?
Some says that PIV certificate can be used as a keyfile.
I can't see anything related to it on previous screenshot.
Yubico support team says "Ask Veracrypt...", quoting from their response to me "The certificate can be selected as a keyfile for the Veracrypt encryption. Also this is a specific issue with VeraCrypt and you should reach out to the VeraCrypt community for support as well".
Any of the presented objects can be selected as a keyfile since they are protected by PIN. You just need to be sure that the information they contain is not publicly available or can be deduced by someone else. For example, "Printed Information" doesn't seem to be a good candidate but "Cardholder fingerprints" looks better.
That being said, it is advised to create a dedicated keyfile using VeraCrypt keyfile generator and then import it into your Yubikey in order to use a keyfile. The steps to achieve this are easy.
First, use the menu "Tools -> Keyfile generator" to create a random keyfile and store it on disk (ideally it should be stored in a mounted VeraCrypt volume to avoid leaking keyfile content).
Then, use the menu "Tools -> Managed Security Token Keyfiles" to import the generated keyfile into the Yubikey.
After that, security erase the keyfile from the disk (As I said above, it is advised to store the keyfile in a mounted VeraCrypt volume since securely erasing keyfile from mounted VeraCrypt volume is more reliable than securely erasing it from a standard disk).
Once these steps done, you can select this keyfile from within the Volume Creation wizard when creating a volume.
below are screenshots of the steps:
PS: to avoid loosing access to the volume if the Yubikey is lost, a backup of the generated keyfile should be made and stored in a secure location before securely erasing it from disk. Not using backup gives maximum security but it exposes to data loss if Yubikey is lost.
"Cardholder fingerprints" - Yubikey has not fingerprint reader on it - so I assume this is out of question.
"Import keyfile to Yubikey" - error function not supported pops up
Ok, it looks like Yubikey doesn't allow storing arbitrary data on it. This must be a limitation of their hardware and we can't do much about it.
Concerning the "cardholder fingerprints", it should work since it is listed. The only thing is that you must check that its content is sufficiently unique/random so that it can't be easily guessed by an attacker.
For that you can use the export button to export the content of this object fo a file (you should export inside a mounted VeraCrypt volume to keep the content secure). And then, open the exported file using a tool like HxD to explore its binary content. If you notice that its size is too small (less than 64 bytes) or that its content is not sufficiently unique, then you can't use it as a secure keyfile.
In VeraCrypt, we suppose that compatible smart cards and tokens provide the functionality of importing data objects into them. Clearly, Yubikey doesn't have this functionality and so the only possible way is to rely on existing data objects that contain sufficiently unique content to be used as keyfile: if such data object doesn't exist, then Yubilye can't be used.
For some reason the Cardholder Fingerprint and Facial Image cannot be used as keyfiles. They cannot be exported either.
The so called "Printed Information" can be exported as a 30-byte file. The fifteen 16-bit hex numbers are related to the PIV management key (I am not sure they are the same though, because the management key is 24 bytes long).
I was able to use it as a keyfile for a test volume, but given the guidance for a 64-byte minimum-size keyfile, I am not super keen to use it for a critical volume.
edited info regarding the Printed Information content
Last edit: NoMiddleName 2021-04-02