⭕Veracrypt
This guide explains how to set up and unlock a Veracrypt encrypted drive with your Yubiley.
This tutorial requires one device of any in the following categories:
❊ How It Works
To have your Yubikey unlock your Veracrypt drive, you will need to have your Yubikey plugged into your computer with a keyfile imported into a particular PIV slot.
When creating a new encrypted drive, you will need to generate a keyfile that you will use to unlock your drive. Then you will need to import that keyfile onto your Yubikey. Every time you attempt to mount your encrypted drive, you will choose the keyfile option and then select your Yubikey as an authentication method. Veracrypt will then read your Yubikey's imported keyfile, match that with what is stored on the system and then unlock your drive.
If you have an existing drive, you can add Yubikey as an additional security measure.
Along with having this imported keyfile on your Yubikey, you should also save that keyfile somewhere else. A USB flash drive is recommended. If your Yubikey stops working, you will need that backup keyfile in order to unlock your drive.
❊ Installation
Software is available for Windows, MacOS, and Linux.
Veracrypt Portable Warning (Windows)
The Windows version includes a link to a portable download. This is a version of Veracrypt that can run on your computer without needing to be installed. It allows you to place the program on a flash drive and open it on any computer.
The portable version of Veracrypt does NOT support Yubikeys.
You must download and install the full version of Veracrypt for Windows.
❊ Creating a Keyfile
Launch Veracrypt.
Locate the Tools menu at the top and select KeyFile Generator.
You will notice a progress bar at the very bottom will start red and slowly progress to green as the bar fills.
To fill this bar, move your mouse back and forth.
For a Yubikey device, you must keep the Keyfile Size at 64 bytes.
You can leave Mixing PRF at SHA-512.
Towrad the bottom, type a name for your keyfile in the field Keyfiles Base Name.
Click Generate and Save Keyfile ...
A dialog box will appear and ask you to select the folder you want to save the keyfile in. Select any folder. After you complete that step, you should get a save notification:
Use a program like Windows File Manager and go to the folder where you saved your keyfile and confirm that it is there.
❊ Installing OpenSC
Veracrypt itself does not directly support reading a Yubikey and needs some help thanks to a third-party program called OpenSC.
OpenSC will be the "bridge" for communication between Veracrypt and your Yubikey.
Install the program. It will set itself up and run in the background while your computer is on.
If installing on Windows, you may be greeted with this lovely screen:
Begin installation:
Continue to click Next until you get to a screen which lists features available for install:
Select the following:
Core components
PKCS#11 module
Smartcard Minidriver
Command line tools
Other options are optional -- select if desired.
Let OpenSC finish installation:
Once you have installed OpenSC, you can give your computer a reboot and OpenSC should run at startup.
If you don't want to wait on reboot, you can manually start OpenSC by executing the file:
C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exe
Re-launch veracrypt and in the top menu, select Tools -> Management Security Token Keyfiles
You will get a notification for some steps that need performed:
Open the top menu back up, and select Settings -> Security Tokens.
You will need to provide the path to your Yubikey's PKCS#11 library.
The Auto-Detect button will sometimes work, if it doesn't and you receive an error that it cannot locate your module, you'll need to specify it manually.
Click the Select Library button, and navigate to:
C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
After you've selected the PKCS#11 module, save, and close Veracrypt completely.
Re-launch and you should be able to navigate to Tools -> Management Security Token Keyfiles and a dialog box should appear asking for your smartcard PIV PIN.
If you see nothing in the list, completely close Veracrypt and then remove your Yubikey from the USB port. Wait a few seconds, and then plug your Yubikey back in. Then launch Veracrypt and go back to Tools -> Management Security Token Keyfiles.
❊ Import Keyfile to Yubikey
If you've read my other guides, you will know that the PIV module has four main slots. Slot 9A, 9C, 9D, and 9E. We will not be using those slots for this key. Your generated keyfile will need to be imported into a special PIV slot.
The special slots being referred to, are the three slots that Veracrypt allows you to select when you connect your Yubikey and unlock or create a drive.
To view these slots, return to Veracrypt.
Select Tools -> Manage Security Token Keyfiles...
A dialog box will appear and ask you for a PIV PIN:
Enter the PIV PIN you have configured for your Yubikey.
If you have not changed the default PIV PIN yet, enter: 123456
Press OK and a new dialog will appear and show the three special files in slot 0 referred to earlier:
For this guide, we are going to import our generated keyfile into the PIV object / slot Printed Information.
SLOT / OBJECT IDS
The slot / object ID for these three slots are provided below:
| File Name | Slot / Object ID |
|---|---|
Cardholder Fingerprints | 0x5fc103 |
Printed Information | 0x5fc109 |
Cardholder Facial Image | 0x5fc108 |
You will need to enter the slot / object id in a few moments.
Open your Command Prompt, Terminal, or Powershell.
Change directores to the folder which has ykman.exe:
That section will explain what ykman is, and how to download it for your operating system. It is included in your installation of Yubikey Manager.
Once you have navigated to the Yubikey Manager folder, change the information in the command below and then execute it:
| Argument | Description |
|---|---|
0x5fc109 | Slot for Personal Information which was explained above. (See chart above) |
C:\Path\Keyfile\mykeyfile | The path and name of keyfile you created. |
Wrap the path to your keyfile in quotations, especially if the path to the file contains spaces in the folder / file names.
Execute the command; you will see the following message:
Type the PIV Management Key you've specified for your Yubikey's PIV interface. Press ENTER if you've never changed the default pre-programmed management key.
Default Management Key:
010203040506070801020304050607080102030405060708
❊ Linking Yubikey to Drive
Once you have imported your keyfile onto your Yubikey, it's time to tell your encrypted drive where it's at.
Launch Veracrypt. You can either create a new encrypted drive, or edit an existing drive to accept a yubikey. The steps are almost identical.
For this tutorial; we'll explain both:
EXISTING DRIVE
Select a drive letter assign to your encrypted drive, and click Select File to open the drive file you saved when you first made the encrypted drive.
A dialog box will open.
In the section labeled Current, fill in the credentials for how you normally unlock the encrypted drive. In our example, I enter the Password and a custom PIM.
A dialog will appear:
This is the dialog associated to your Yubikey. You will need to enter your PIV ADMIN PIN.
default: 12345678
If you do not see a dialog asking for you to enter a PIN, perform the following steps:
At the top of Veracrypt, select TOOLS -> Close all Security Token Sessions.
Completely close Veracrypt, ensure it's not sitting in your Windows taskbar near your clock.
Next to your taskbar clock, hover over the icons and check for a running program called OpenSC.
If you do not see OpenSC, find and launch the program
C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exeIf you do see OpenSC near your clock, right click and select Exit / Close.
Unplug your Yubikey, wait 5 seconds, and plug back in.
A notification should appear:
You should see a Yubikey PIV PIN dialog box:
Continued Issues?
Once you enter your PIN, a dialog should appear with a list of files on your Yubikey:
Important Info
Prior to writing this guide, I attempted to write a keyfile to Cardholder Fingerprints and Cardholder Facial Image.
Importing to those two slots appeared to have no effect. I could unlock the drive with any Yubikey that I inserted, even if I hadn't imported the new keyfile yet. Some people have claimed success using the other two slots, but I had no such luck. Try at your own risk.
Eventually Veracrypt will show a dialog which makes you move your mouse cursor. Move your mouse until the bar is completely filled to the right.
Veracrypt should confirm the changes to your drive:
This process is very similar for creating a new encrypted drive.
NEW DRIVE
For a new drive, you will follow the normal steps of creating a drive. However, the interface will look slightly different when it comes time to add your keyfiles from your Yubikey:
You'll then be prompted for your Yubikey's PIV ADMIN PIN:
Select the file Printed Information from your Yubikey slot:
Proceed forward with the normal steps to create an encrypted drive.
❊ Notes
It is possible to utilize a Yubikey with Veracrypt (I do it every day), it's just an extremely touchy system.
Sometimes when you attempt to load your Yubikey, you'll receive errors that it cannot see your Yubikey at all. Or the list which is supposed to show your three Yubikey files / slots will not populate.
On occasion, I also received this error:
If you are having these issues, it's a game of "trial-and-error", which means:
Unplug Yubikey from USB port.
Completely close Veracrypt (ensure it's not sitting as an icon near your clock or tray).
Completely close OpenSC by right-clicking it near the clock tray and selecting Exit.
Re-launch OpenSC by running the program
C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exePlug your Yubikey back in.
Double check that you did indeed import the keyfile to the PIV slot.
Make sure you don't have programs like Gpg Kleopatra running near your clock or in your taskbar. This program takes priority and will stop PIV from functioning for any other program.
And continue doing these steps until you get a response.
Last updated
