Veracrypt , SmartCard PKCS#11 and Windows system drive encryption
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi all,
I've just bought some SmartCard-HSM cards. They can be initialized from within windows.
Now veracrypt can use the smartcard, store a key and read a key, when using volumes AFTER windows has booted.
But when I tried to convert to entire drive or system partition VeraCrypt failed by stating that keyfiles are not supported.
Is that true, that smartcards aren't supported when using Veracrypt for boot volume encryption?
Before purchasing the cards I read the documentation but this exception is nowhere stated. Specifics about requirements of the smartcard can be found but the fact that smartcards aren't supported for boot volumes (should that be the case) should be clearly written in the introduction. Because this is a major showstopper (for me). The smartcard works perfectly for with a volumes mounted AFTER windows has booted but that isn't what I need.
Thank you for your time,
Wes
Hi Wes,
First of all, the documentation for smart cards in VeraCrypt (https://www.veracrypt.fr/en/Security%20Tokens%20%26%20Smart%20Cards.html) simply redirectes the reader to the Keyfiles chapter for more information (https://www.veracrypt.fr/en/Keyfiles%20in%20VeraCrypt.html) and in this chapter it is written "Note: Keyfiles are currently not supported for system encryption.". So, it is documented that keyfiles are not supported for system encryption and this logically means that smart card are not supported for system encryption. But probably adding a note in the smart card chapter will avoid misunderstanding like yours.
Secondly, all commercial encryption products that support smart cards for boot in the context of system encryption use customized versions of PKCS#11 libraries that are adapted to their boot environement. So, even for these commercial products, you can not just use any smart card even if it comes with a PKCS#11 library. First, you will have to check first with the products manufacturer the list smart card models that they support and afterwrads you can only buy one of those.
As far as VeraCrypt is concerned, supporting smart card for UEFI system encryption is planned but it requires a huge work at many levels : first there is a USB-CCID support for readers detection and handling, then integration of PC/SC layer and finally the choice an open source PKCS#11 library to adapt and integrate into the UEFI bootloader architecture. Such development is not possible to do without funding or at least a viable business model that will enable covering costs. For now, we have no visiblity on this.
Hi Mounir,
thank you for all your work and explaining this. Unfortunately I cannot pay you a bounty for this feature.
There are almost no commercial products which you can simply buy online. I understand that most solutions are tailored for the enterprise, but very small teams might also be in need of such solutions (PBA with smartcards) without entering hefty contracts and minumum of 25 seats etc. Should you have a suggestion for such solution (I need 2 - 4 licences) I'm very interested.
I thank you again and look forward to future developments.
Regards,
Wes
Hi Wes,
DCS contains experimental code to test low level API of smart card at APDU level(see "DcsCFg -scapdu".(DCS is EFI bootloader for VeraCrypt)
General PKCS11 is too complex IMHO.
if there is interest from card manufacture it might be possible to add support of one card type to start .
Regards,
Alex
Hi Alex,
I'm using the SmartCard-HSM cards. They work as HSM/keystore with VeraCrypt for plain container volumes and is support by OpenSC. They were the most "open-source oriented cards I could find.
I looked at DcsCfgCrypt.c but I don't know anything about UEFI and developing loaders for that environment. For example does EFI provide the usb drivers?
I'll mention this open issue to the card manufacturer.
thanks,
Wes
Hi Wes,
Specification of EFI contains USB protocol but some BIOS developers can limit drivers to support media only.
See UsbScTransmit in EfiUsb.c (it sends APDU) but on my old laptop it does not work. This is one of the reasons because I stopped the development.
OpenSC - good reference code but it might need some internals from the SC manufacture.
Regards,
Alex