I have bought two Nitrokey start keys, interested in secure mailing and encoded (virtual) disk.
However, later I noted that the security your key provides for the latter task is not as high as I wanted, see the following note on your web:
“Security Consideration: Please note that VeraCrypt doesn’t make use of the full security which Nitrokey (and smart cards in general) offer. Instead, it stores a key file on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the PIN.
Note: Aloaha Crypt is based on TrueCrypt/VeraCrypt but without the described security limitation.”
I was trying quite hard to make this Aloha Crypt running but to no avail. Could you please provide me with more detailed instructions, as you do for VeraCrypt?
Furthermore, since Aloaha was not working for me, I resigned and wanted to go for a less secure variant of VeraCrypt. Following precisely the instructions from your web, I got problem with the fourth step
“Now you should be able to import the generated key file via Tools>Manage Security Token Keyfiles. You should choose the first Slot ([0] User PIN). The key file is then stored on the Nitrokey as ‘Private Data Object 1’ (PrivDO1).”
Importing Keyfile to Token, I get "Security token error: DEVICE ERROR".
So it seems that at the moment, no disk encryption in Win 10 is working out of the box with Nitrokey Start. (whereas SSH logins and encrypted emails work just fine, simply by following your instructions)
Could you provide me with some support here? I am not an expert in cryptography, that is why I bought your product in the first place.
I was testing it today, and it seems indeed that the private DO’s are not supported on the Nitrokey Start. I have confirmed this solution works on the Nitrokey Storage / OpenPGP v2.1.
I could not take a detailed logs, so it will probably take longer to develop the exact solution.
I am searching for a workaround.
My impression is, that the actual issue is within the OpenSC implementation.
Sorry for that. We will update the documentation in the meantime to mark, that Nitrokey Start is not cooperating with Veracrypt at this moment. @nitroalex Please update the doc with this remark, thank you!
Details:
Windows 10 1909 / 18363
Used driver: pkcs11-spy.dll (same as regular, but with logs)
Veracrypt 1.24-Update2
Nitrokey Start (RTM.7/GNUK 1.2.14)
Timeout set to 60 seconds (via registry modification per Windows docs from references)
Followed linked below Nitrokey documentation for setting up Veracrypt
Confirmed with the project’s mailing list, that the private DO’s are not supported within the latest Nitrokey Start / GNUK 1.2.14. While possible, it is not planned for the implementation in the near future either.
Concluding, current Nitrokey Start (RTM.7/GNUK 1.2.14) cannot support Veracrypt key files at the moment, and there is no direct workaround for that.
Back to the specific feature, let me explain about DO1-4 and certificate
object(s). I don’t support those objects because of three reasons;
there is no good definition how those can be used and useful.
Implementing those objects interferes lower-level communication, and
there may be not enough room to keep those objects in flash memory
anyway.
If I may go back to my original ambition, which was unlimited security without transferring KeyFiles into the computer - since VeraCrypy is finally not supported with Nitrokey Start, is there some chance for Aloaha? AFAIK the mechanism is different so it could still work. But there is no documentation whatsoever. Did somebody try??
I am again sorry it was not working the way you have planned.
I have never set up Aloha by myself, but I will check this for you.
I understand you have already tried to do so - could you briefly describe, at which point it was not working?
thank you, it was a long time ago, but as far as I remember it was not clear how to get this certificate thing working. In particular, there is a certificate needed for Aloaha, but no certificate stored in Nitrokey Start… ? As said I am new to this stuff, I have never used certificates as such.
If you could write down a similar manual with several steps as you have for VeraCrypt, it could be enough for me, at least to try again.
I see. Indeed there was not much information about certificate role neither in the application window, nor on the website. In this use certificate contains the asymmetric keypair, private and public, both used for the crypto operations.
Roughly the plan is as follows:
The certificate needed could be created easily by one of the Aloaha’s tools. It has to be exported to pfx file.
Later it needs to be imported to the device according to the OpenSC guide [1].
Further another application (AloahaCSP) should find and register the created certificate, so it could be used by the AloahaCrypt (to confirm, whether OpenSC would not be sufficient instead).
I tried to configure it today, but I could not manage to make the AloahaCrypt working, ending with the following error message:
AloahaCrypt Volume Creation Wizard
Error: The autogenerated INI file has been manually modified or there is an ini file having the same name as your volume in the same directory
I could not find the cause. Will try again next week.
I am sorry, but I could not have invest any more time into this until now. I do not want to stall you with your decision - let’s assume for the time being, that Nitrokey Start is not supporting Aloha encryption as well. If this would change in the near future, I will write here.
My idea for the further tests was to run the same path with Nitrokey Pro 2, and see whether the problem is on the device part, or in the Aloha software. Since they are using own CSP, I cannot see in the pkcs11-spy's log, what the cause is. This requires further investigation to get USB dump with Wireshark and look into it.
I wanted as well to ask on the Aloha’s support forum about this cryptic error, which perhaps is already solvable on their side.
With current knowledge, to fix your problem the fastest way I think it would be to add a private DO support to the device’s firmware, which would allow Veracrypt use. However, again, we do not plan to add this feature at this moment. It is possible someone has done this already, and you could use such custom firmware.