# Veracrypt
{% hint style="info" %} This tutorial requires one device of any in the following categories: * [x] [YubiKey 5 Series](https://www.yubico.com/store/#yubikey-5-series) * [x] [YubiKey 5 FIPs Series](https://www.yubico.com/store/#yubikey-5-fips-series) {% endhint %} ## ## ❊ How It Works To have your Yubikey unlock your Veracrypt drive, you will need to have your Yubikey plugged into your computer with a keyfile imported into a particular PIV slot. When creating a new encrypted drive, you will need to generate a keyfile that you will use to unlock your drive. Then you will need to import that keyfile onto your Yubikey. Every time you attempt to mount your encrypted drive, you will choose the **keyfile** option and then select your Yubikey as an authentication method. Veracrypt will then read your Yubikey's imported keyfile, match that with what is stored on the system and then unlock your drive. If you have an existing drive, you can add Yubikey as an additional security measure. Along with having this imported keyfile on your Yubikey, you should also save that keyfile somewhere else. A USB flash drive is recommended. If your Yubikey stops working, you will need that backup keyfile in order to unlock your drive. ## ❊ Installation Before starting, download and install ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**VeraCrypt**](https://www.veracrypt.fr/en/Downloads.html). Software is available for **Windows**, **MacOS**, and **Linux**. {% hint style="danger" %} **Veracrypt Portable Warning (Windows)** The **Windows** version includes a link to a portable download. This is a version of Veracrypt that can run on your computer without needing to be installed. It allows you to place the program on a flash drive and open it on any computer. **The portable version of Veracrypt does NOT support Yubikeys.** You **must** download and install the full version of Veracrypt for Windows. {% endhint %} ## ❊ Creating a Keyfile Launch Veracrypt. Locate the **Tools** menu at the top and select **KeyFile Generator**.
You will notice a progress bar at the very bottom will start red and slowly progress to green as the bar fills. To fill this bar, move your mouse back and forth.
For a Yubikey device, you must keep the **Keyfile Size** at **64 bytes**. You can leave **Mixing PRF** at **SHA-512**. Towrad the bottom, type a name for your keyfile in the field **Keyfiles Base Name**.
Click **Generate and Save Keyfile ...** A dialog box will appear and ask you to select the folder you want to save the keyfile in. Select any folder. After you complete that step, you should get a save notification:
Use a program like **Windows File Manager** and go to the folder where you saved your keyfile and confirm that it is there.
Once located, continue to the ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**Import Keyfile to Yubikey**](#import-keyfile-to-yubikey) section. ## ❊ Installing OpenSC Veracrypt itself does not directly support reading a Yubikey and needs some help thanks to a third-party program called [**OpenSC**](https://github.com/OpenSC/OpenSC#downloads). OpenSC will be the "bridge" for communication between Veracrypt and your Yubikey. Download the latest version of OpenSC, ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**visit the Github page's Downloads section here.**](https://github.com/OpenSC/OpenSC#downloads) Install the program. It will set itself up and run in the background while your computer is on. If installing on Windows, you may be greeted with this lovely screen:
Fear not, as it isn't a virus. Simply click **More Info** and select ![](/files/bdciZ0cMfLGaClemfm4U) Begin installation:
Continue to click **Next** until you get to a screen which lists features available for install:
Select the following: * Core components * PKCS#11 module * Smartcard Minidriver * Command line tools Other options are optional -- select if desired. Let OpenSC finish installation:
Once you have installed OpenSC, you can give your computer a reboot and OpenSC should run at startup. If you don't want to wait on reboot, you can manually start OpenSC by executing the file: **`C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exe`** Re-launch veracrypt and in the top menu, select **Tools** -> **Management Security Token Keyfiles**
You will get a notification for some steps that need performed:
Open the top menu back up, and select **Settings** -> **Security Tokens**.
You will need to provide the path to your Yubikey's PKCS#11 library. The **Auto-Detect** button will sometimes work, if it doesn't and you receive an error that it cannot locate your module, you'll need to specify it manually. Click the **Select Library** button, and navigate to: **`C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll`** After you've selected the PKCS#11 module, save, and close Veracrypt completely. Re-launch and you should be able to navigate to **Tools** -> **Management Security Token Keyfiles** and a dialog box should appear asking for your smartcard PIV PIN. If you see nothing in the list, completely close Veracrypt and then remove your Yubikey from the USB port. Wait a few seconds, and then plug your Yubikey back in. Then launch Veracrypt and go back to **Tools** -> **Management Security Token Keyfiles**. ## ❊ Import Keyfile to Yubikey If you've read my other guides, you will know that the PIV module has four main slots. Slot 9A, 9C, 9D, and 9E. We will **not** be using those slots for this key. Your generated keyfile will need to be imported into a special PIV slot. We will use the command-line ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**ykman** ](/yubikey5/guides/setting-up-cli-ykman.md)to do that. The special slots being referred to, are the three slots that Veracrypt allows you to select when you connect your Yubikey and unlock or create a drive. To view these slots, return to Veracrypt. Select **Tools** -> **Manage Security Token Keyfiles...**
A dialog box will appear and ask you for a PIV PIN:
Enter the PIV PIN you have configured for your Yubikey. If you have not changed the default PIV PIN yet, enter: **`123456`** {% hint style="info" %} To learn how to configure PIV and make PINs, visit the ![](/files/cx3UyzbMaa2qyyOJ3lWy) [PIV documentation](/yubikey5/piv-1/getting-started/2.-pins.md). {% endhint %} Press OK and a new dialog will appear and show the three special files in slot 0 referred to earlier:
For this guide, we are going to import our generated keyfile into the PIV object / slot **Printed Information****.** ### SLOT / OBJECT IDS The slot / object ID for these three slots are provided below: | File Name | Slot / Object ID | | ----------------------------------------------------------- | ---------------- | | **Cardholder Fingerprints** | 0x5fc103 | | **Printed Information** | 0x5fc109 | | **Cardholder Facial Image** | 0x5fc108 | You will need to enter the **slot / object id** in a few moments. Open your Command Prompt, Terminal, or Powershell. Change directores to the folder which has **ykman.exe**: ``` cd "C:\Program Files\Yubico\YubiKey Manager\" ``` {% hint style="info" %} If you are unsure where **Yubikey Manager** or **ykman.exe** are installed, ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**view the documentation for ykman here**](/yubikey5/guides/setting-up-cli-ykman.md). That section will explain what ykman is, and how to download it for your operating system. It is included in your installation of Yubikey Manager. {% endhint %} Once you have navigated to the Yubikey Manager folder, change the information in the command below and then execute it: 
ykman piv objects import 0x5fc109 "C:\path\to\mykeyfile"
ArgumentDescription
0x5fc109Slot for Personal Information which was explained above. (See chart above)
C:\Path\Keyfile\mykeyfileThe path and name of keyfile you created.
{% hint style="info" %} Wrap the path to your keyfile in quotations, especially if the path to the file contains spaces in the folder / file names. {% endhint %} Execute the command; you will see the following message: ``` Enter a management key [blank to use default key]: ``` Type the **PIV Management** **Key** you've specified for your Yubikey's PIV interface. Press ENTER if you've never changed the default pre-programmed management key. {% hint style="info" %} Default Management Key:\ **`010203040506070801020304050607080102030405060708`** If you're unsure how to change your **PIV Management Key**, view ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**PIV documentation here**](/yubikey5/piv-1/getting-started/2.-pins.md#management-key-1). {% endhint %} ## ❊ Linking Yubikey to Drive Once you have imported your keyfile onto your Yubikey, it's time to tell your encrypted drive where it's at. Launch Veracrypt. You can either create a new encrypted drive, or edit an existing drive to accept a yubikey. The steps are almost identical. For this tutorial; we'll explain both: ### EXISTING DRIVE
Select a drive letter assign to your encrypted drive, and click **Select File** to open the drive file you saved when you first made the encrypted drive. Next, click ![](/files/sr9bOfB9Nlt6141lcJzW) and select **Add/Remove keyfiles To/From Volume**.
A dialog box will open.
In the section labeled **Current**, fill in the credentials for how you normally unlock the encrypted drive. In our example, I enter the Password and a custom PIM.
In the section labeled **New**, select ![](/files/vlHaMMw0C6CYpUYi0bDc) and press ![](/files/wE1OXOZciAGP2SN0f9YH).
On the new dialog, press ![](/files/UHYInoZh9WK7nlXd6ECg) A dialog will appear:
This is the dialog associated to your Yubikey. You will need to enter your **PIV ADMIN PIN**.\ default: **`12345678`** {% hint style="danger" %} If you do not see a dialog asking for you to enter a PIN, perform the following steps: {% endhint %} * At the top of Veracrypt, select **TOOLS** -> **Close all Security Token Sessions**. * Completely close Veracrypt, ensure it's not sitting in your Windows taskbar near your clock. * Next to your taskbar clock, hover over the icons and check for a running program called **OpenSC**. * If you do not see OpenSC, find and launch the program **`C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exe`** * If you do see OpenSC near your clock, right click and select Exit / Close. * Unplug your Yubikey, wait 5 seconds, and plug back in. * A notification should appear:
* Re-launch Veracrypt, select your encrypted drive, click ![](/files/DApitAZ3fkKAz9prWAhF), select **Add/Remove keyfiles To/From Volume**, and then fill in your drive credentials again. You should see a Yubikey PIV PIN dialog box:

default pin: 12345678

#### Continued Issues? {% hint style="danger" %} If you continue at this point to either not get the PIN dialog box, or your list is empty for the **Select Security Token Keyfiles** box, read the ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**Notes**](#notes) section and then return here when you get it working. {% endhint %} Once you enter your PIN, a dialog should appear with a list of files on your Yubikey:
Select the file name **Printed Information**, which is the object we imported our keyfile onto earlier. This file is slot / object **0x5fc109** which came from the ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**Object ID chart**](#slot-object-ids). {% hint style="info" %} Important Info Prior to writing this guide, I attempted to write a keyfile to **Cardholder Fingerprints** and **Cardholder Facial Image****.** Importing to those two slots appeared to have no effect. I could unlock the drive with any Yubikey that I inserted, even if I hadn't imported the new keyfile yet.\ \ Some people have claimed success using the other two slots, but I had no such luck. Try at your own risk. {% endhint %} Once you select the **Printed Information** slot, press ![](/files/IlKCP1F7dxeOKXYa8mAo), the list on the previous page should now be populated with your selected object / file.
Press ![](/files/IlKCP1F7dxeOKXYa8mAo) and go back to the first dialog where you filled in the information.
Press ![](/files/IlKCP1F7dxeOKXYa8mAo), Veracrypt will start the process of adding the keyfile.
Eventually Veracrypt will show a dialog which makes you move your mouse cursor. Move your mouse until the bar is completely filled to the right.
Veracrypt should confirm the changes to your drive:
From now on, every time you mount that drive, you will need to select ![](/files/762IP08ZG2o5hFHllhEN) and select your keys with the ![](/files/Fa5ekOQdyv1E32S13CX2) button. This process is very similar for creating a new encrypted drive. ### NEW DRIVE For a new drive, you will follow the normal steps of creating a drive. However, the interface will look slightly different when it comes time to add your keyfiles from your Yubikey:
On the dialog box above, select a password, a modified PIM, and then checkmark ![](/files/762IP08ZG2o5hFHllhEN). Then click the ![](/files/g21pFXAn0sgdfGmwVUWM) -> ![](/files/BPVV4VmayOukhkQVhTh5). You'll then be prompted for your Yubikey's PIV ADMIN PIN:

Default ADMIN PIN: 12345678

Select the file **Printed Information** from your Yubikey slot:
Click ![](/files/VqAnKI6MgGGZlGuzZ7HA) and confirm your selected file appears in the list:
Press ![](/files/VqAnKI6MgGGZlGuzZ7HA) once more until you're back on the page where you provide a password and PIM. Proceed forward with the normal steps to create an encrypted drive. ## ❊ Notes It is possible to utilize a Yubikey with Veracrypt (I do it every day), it's just an extremely touchy system. Sometimes when you attempt to load your Yubikey, you'll receive errors that it cannot see your Yubikey at all. Or the list which is supposed to show your three Yubikey files / slots will not populate. On occasion, I also received this error:

A dumb error

If you are having these issues, it's a game of "trial-and-error", which means: * Unplug Yubikey from USB port. * Click **TOOLS** -> ![](/files/NVI4nzUzjWD59dpz1O7K) * Completely close Veracrypt *(ensure it's not sitting as an icon near your clock or tray)*. * Check near your clock for OpenSC, which should be the icon ![](/files/j2A7dvNjrPFEtVVb9c3x) * Completely close OpenSC by right-clicking it near the clock tray and selecting **Exit**. * Re-launch OpenSC by running the program **`C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exe`** * Plug your Yubikey back in. * Double check that you did indeed import the keyfile to the PIV slot. * This means following the instructions for ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**Import Keyfile to Yubikey**](#import-keyfile-to-yubikey) again. * Make sure you don't have programs like Gpg Kleopatra running near your clock or in your taskbar. This program takes priority and will stop PIV from functioning for any other program. * And continue doing these steps until you get a response. ![](/files/cx3UyzbMaa2qyyOJ3lWy) [**If you came here from the warning box above, click here to return.**](#continued-issues) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yubico.gitbook.io/yubikey5/tutorials/veracrypt.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.