Linux smart card authentication – TrueCrypt

(This is part of my howto on smart card authentication in Linux.)

If you are already familiar with using keyfiles in TrueCrypt, using a smart card works the same way, except the file will be stored on your card, not on the disk.

The first thing to do is tell TrueCrypt where the PKCS#11 provider library is located: you do that in Settings > Security Tokens, the library is at /usr/lib/opensc/opensc-pkcs11.so. For increased security, you will probably also want to check the box below it to force TrueCrypt to log out of your card after your encrypted volume has been mounted.

On a new volume

Create your new volume as usual, until you reach the “password” step. Check the “Use keyfiles” box, and click the “Keyfiles” button. You probably want to generate a random keyfile to store on your card, so click the “Generate Random Keyfile” button, and store the generated keyfile somewhere on your disk. Then click “Add Token Files”; a window will appear, with all the keyfiles stored on your smart card. So far, there is none, so click “Import Keyfile to Token”, and select the keyfile you just created. Click OK in the window that appears (unless you want to store the file under a different name on your card), select the keyfile and click OK again, and again. At this point, you probably want to delete the keyfile from your drive (you can use the shred command to do it securely).

You may also enter a password for your volume. If you do, both the keyfile (and hence, the smart card) and the password will be required to mount the volume.

You may also use several keyfiles. In that case all keyfiles (and the password if there is one) will be required to mount the volume. You may want to do this, for example, to have multi-factor authentication, with one keyfile stored in a hidden location on the drive, and one on your smart card, or if the volume contains secrets shared between several users (with each user having one of the keyfiles on his own card, all users must be present in order to decrypt the volume).

The remaining step (volume formatting) is done as usual.

On an existing volume

If your volume already uses keyfiles and they are small enough to fit on your card, you can just transfer the files to your smart card as described above. If the keyfiles are too large, you will have to remove them from your volume with Volume > Remove all keyfiles from volume (after your volume is mounted), and generate a new set of keyfiles to store on your card. (Note that removing keyfiles from your volume can take a couple minutes.)

If your volume doesn’t use keyfiles (or you have removed them because they were too large to fit on your card), you will have to generate new keyfiles for it. Mount your volume and click Volume > Add/Remove Keyfiles. Enter the password for your volume in the “Password” box, check the “Use keyfiles” box under “New”, and click the “Keyfiles” button next to it. Generate the keyfile(s) and store them on your card as described in the previous section, and click OK (this can also take a while). Both the keyfile(s) and the password will now be required to mount the voume (if you want to remove the password and use only the keys, you can do so by clicking Volumes > Change Volume Passwords.

Mounting a volume

This is also pretty straightforward. After you have selected the volume and clicked mount, enter the volume password (if there is one), check the “Use keyfiles” box, and click the “Keyfiles” button. Add all the keyfiles (with “Add keyfile” for an on-disk keyfile, and “Add token files” for a keyfile on your smartcard) and click OK.

Leave a Reply

Your email address will not be published. Required fields are marked *