⭕Veracrypt
This guide explains how to set up and unlock a Veracrypt encrypted drive with your Yubiley.
Last updated
This guide explains how to set up and unlock a Veracrypt encrypted drive with your Yubiley.
Last updated
This tutorial requires one device of any in the following categories:
To have your Yubikey unlock your Veracrypt drive, you will need to have your Yubikey plugged into your computer with a keyfile imported into a particular PIV slot.
When creating a new encrypted drive, you will need to generate a keyfile that you will use to unlock your drive. Then you will need to import that keyfile onto your Yubikey. Every time you attempt to mount your encrypted drive, you will choose the keyfile option and then select your Yubikey as an authentication method. Veracrypt will then read your Yubikey's imported keyfile, match that with what is stored on the system and then unlock your drive.
If you have an existing drive, you can add Yubikey as an additional security measure.
Along with having this imported keyfile on your Yubikey, you should also save that keyfile somewhere else. A USB flash drive is recommended. If your Yubikey stops working, you will need that backup keyfile in order to unlock your drive.
Software is available for Windows, MacOS, and Linux.
Veracrypt Portable Warning (Windows)
The Windows version includes a link to a portable download. This is a version of Veracrypt that can run on your computer without needing to be installed. It allows you to place the program on a flash drive and open it on any computer.
The portable version of Veracrypt does NOT support Yubikeys.
You must download and install the full version of Veracrypt for Windows.
Launch Veracrypt.
Locate the Tools menu at the top and select KeyFile Generator.
You will notice a progress bar at the very bottom will start red and slowly progress to green as the bar fills.
To fill this bar, move your mouse back and forth.
For a Yubikey device, you must keep the Keyfile Size at 64 bytes.
You can leave Mixing PRF at SHA-512.
Towrad the bottom, type a name for your keyfile in the field Keyfiles Base Name.
Click Generate and Save Keyfile ...
A dialog box will appear and ask you to select the folder you want to save the keyfile in. Select any folder. After you complete that step, you should get a save notification:
Use a program like Windows File Manager and go to the folder where you saved your keyfile and confirm that it is there.
Veracrypt itself does not directly support reading a Yubikey and needs some help thanks to a third-party program called OpenSC.
OpenSC will be the "bridge" for communication between Veracrypt and your Yubikey.
Install the program. It will set itself up and run in the background while your computer is on.
If installing on Windows, you may be greeted with this lovely screen:
Begin installation:
Continue to click Next until you get to a screen which lists features available for install:
Select the following:
Core components
PKCS#11 module
Smartcard Minidriver
Command line tools
Other options are optional -- select if desired.
Let OpenSC finish installation:
Once you have installed OpenSC, you can give your computer a reboot and OpenSC should run at startup.
If you don't want to wait on reboot, you can manually start OpenSC by executing the file:
C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exe
Re-launch veracrypt and in the top menu, select Tools -> Management Security Token Keyfiles
You will get a notification for some steps that need performed:
Open the top menu back up, and select Settings -> Security Tokens.
You will need to provide the path to your Yubikey's PKCS#11 library.
The Auto-Detect button will sometimes work, if it doesn't and you receive an error that it cannot locate your module, you'll need to specify it manually.
Click the Select Library button, and navigate to:
C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
After you've selected the PKCS#11 module, save, and close Veracrypt completely.
Re-launch and you should be able to navigate to Tools -> Management Security Token Keyfiles and a dialog box should appear asking for your smartcard PIV PIN.
If you see nothing in the list, completely close Veracrypt and then remove your Yubikey from the USB port. Wait a few seconds, and then plug your Yubikey back in. Then launch Veracrypt and go back to Tools -> Management Security Token Keyfiles.
If you've read my other guides, you will know that the PIV module has four main slots. Slot 9A, 9C, 9D, and 9E. We will not be using those slots for this key. Your generated keyfile will need to be imported into a special PIV slot.
The special slots being referred to, are the three slots that Veracrypt allows you to select when you connect your Yubikey and unlock or create a drive.
To view these slots, return to Veracrypt.
Select Tools -> Manage Security Token Keyfiles...
A dialog box will appear and ask you for a PIV PIN:
Enter the PIV PIN you have configured for your Yubikey.
If you have not changed the default PIV PIN yet, enter: 123456
Press OK and a new dialog will appear and show the three special files in slot 0 referred to earlier:
For this guide, we are going to import our generated keyfile into the PIV object / slot Printed Information.
The slot / object ID for these three slots are provided below:
Cardholder Fingerprints
0x5fc103
Printed Information
0x5fc109
Cardholder Facial Image
0x5fc108
You will need to enter the slot / object id in a few moments.
Open your Command Prompt, Terminal, or Powershell.
Change directores to the folder which has ykman.exe:
That section will explain what ykman is, and how to download it for your operating system. It is included in your installation of Yubikey Manager.
Once you have navigated to the Yubikey Manager folder, change the information in the command below and then execute it:
0x5fc109
Slot for Personal Information which was explained above. (See chart above)
C:\Path\Keyfile\mykeyfile
The path and name of keyfile you created.
Wrap the path to your keyfile in quotations, especially if the path to the file contains spaces in the folder / file names.
Execute the command; you will see the following message:
Type the PIV Management Key you've specified for your Yubikey's PIV interface. Press ENTER if you've never changed the default pre-programmed management key.
Default Management Key:
010203040506070801020304050607080102030405060708
Once you have imported your keyfile onto your Yubikey, it's time to tell your encrypted drive where it's at.
Launch Veracrypt. You can either create a new encrypted drive, or edit an existing drive to accept a yubikey. The steps are almost identical.
For this tutorial; we'll explain both:
Select a drive letter assign to your encrypted drive, and click Select File to open the drive file you saved when you first made the encrypted drive.
A dialog box will open.
In the section labeled Current, fill in the credentials for how you normally unlock the encrypted drive. In our example, I enter the Password and a custom PIM.
A dialog will appear:
This is the dialog associated to your Yubikey. You will need to enter your PIV ADMIN PIN.
default: 12345678
If you do not see a dialog asking for you to enter a PIN, perform the following steps:
At the top of Veracrypt, select TOOLS -> Close all Security Token Sessions.
Completely close Veracrypt, ensure it's not sitting in your Windows taskbar near your clock.
Next to your taskbar clock, hover over the icons and check for a running program called OpenSC.
If you do not see OpenSC, find and launch the program C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exe
If you do see OpenSC near your clock, right click and select Exit / Close.
Unplug your Yubikey, wait 5 seconds, and plug back in.
A notification should appear:
You should see a Yubikey PIV PIN dialog box:
Once you enter your PIN, a dialog should appear with a list of files on your Yubikey:
Important Info
Prior to writing this guide, I attempted to write a keyfile to Cardholder Fingerprints and Cardholder Facial Image.
Importing to those two slots appeared to have no effect. I could unlock the drive with any Yubikey that I inserted, even if I hadn't imported the new keyfile yet. Some people have claimed success using the other two slots, but I had no such luck. Try at your own risk.
Eventually Veracrypt will show a dialog which makes you move your mouse cursor. Move your mouse until the bar is completely filled to the right.
Veracrypt should confirm the changes to your drive:
This process is very similar for creating a new encrypted drive.
For a new drive, you will follow the normal steps of creating a drive. However, the interface will look slightly different when it comes time to add your keyfiles from your Yubikey:
You'll then be prompted for your Yubikey's PIV ADMIN PIN:
Select the file Printed Information from your Yubikey slot:
Proceed forward with the normal steps to create an encrypted drive.
It is possible to utilize a Yubikey with Veracrypt (I do it every day), it's just an extremely touchy system.
Sometimes when you attempt to load your Yubikey, you'll receive errors that it cannot see your Yubikey at all. Or the list which is supposed to show your three Yubikey files / slots will not populate.
On occasion, I also received this error:
If you are having these issues, it's a game of "trial-and-error", which means:
Unplug Yubikey from USB port.
Completely close Veracrypt (ensure it's not sitting as an icon near your clock or tray).
Completely close OpenSC by right-clicking it near the clock tray and selecting Exit.
Re-launch OpenSC by running the program C:\Program Files\OpenSC Project\OpenSC\tools\opensc-notify.exe
Plug your Yubikey back in.
Double check that you did indeed import the keyfile to the PIV slot.
Make sure you don't have programs like Gpg Kleopatra running near your clock or in your taskbar. This program takes priority and will stop PIV from functioning for any other program.
And continue doing these steps until you get a response.
Before starting, download and install VeraCrypt.
Once located, continue to the Import Keyfile to Yubikey section.
Download the latest version of OpenSC, visit the Github page's Downloads section here.
Fear not, as it isn't a virus. Simply click More Info and select
We will use the command-line ykman to do that.
To learn how to configure PIV and make PINs, visit the .
If you are unsure where Yubikey Manager or ykman.exe are installed, view the documentation for ykman here.
If you're unsure how to change your PIV Management Key, view .
Next, click and select Add/Remove keyfiles To/From Volume.
In the section labeled New, select and press .
On the new dialog, press
Re-launch Veracrypt, select your encrypted drive, click , select Add/Remove keyfiles To/From Volume, and then fill in your drive credentials again.
If you continue at this point to either not get the PIN dialog box, or your list is empty for the Select Security Token Keyfiles box, read the Notes section and then return here when you get it working.
Select the file name Printed Information, which is the object we imported our keyfile onto earlier. This file is slot / object 0x5fc109 which came from the Object ID chart.
Once you select the Printed Information slot, press , the list on the previous page should now be populated with your selected object / file.
Press and go back to the first dialog where you filled in the information.
Press , Veracrypt will start the process of adding the keyfile.
From now on, every time you mount that drive, you will need to select and select your keys with the button.
On the dialog box above, select a password, a modified PIM, and then checkmark .
Then click the -> .
Click and confirm your selected file appears in the list:
Press once more until you're back on the page where you provide a password and PIM.
Click TOOLS ->
Check near your clock for OpenSC, which should be the icon
This means following the instructions for Import Keyfile to Yubikey again.
