Nitrokey 3 NFC and Veracrypt

Is there a tutorial, how I can use the Nitrokey 3 smartcard with Veracrypt?


Are you certain that the Nitrokey 3 can do this?
I don’t think the Nitrokey App can be used with the Nitrokey 3 and I wonder if that is the problem.

I haven’t personally tested it, but I don’t believe opcard-rs currently supports the DO feature and may not be fully working for Veracrypt.

The process of storing the keyfile via PKCS#11 to a DO on the smartcard is explained in this tutorial, which should work regardless of the OpenPGP card being used.
I believe that the Veracrypt feature which enables the addition of a keyfile to a smartcard is not very practical. This is because many OpenPGP cards are typically configured by a Security Officer, and users are only granted access to a PIN, not the CHV3-PIN (Admin-PIN). Depending on the key slot and smartcard, CHV3-PIN may be necessary to write to it.

As far as I know, the keyfile is only secured by a PIN and is not encrypted itself. Furthermore, depending on the keyslot and smartcard implementation, reading may be possible without a PIN or set to User or Admin PIN. Therefore, it is advisable to have both a keyfile and password for Veracrypt.

A more effective approach for Veracrypt implementation would be to utilize PKCS#11 to encrypt/decrypt a Veracrypt password using the key that is stored on the smartcard. Unfortunately, Veracrypt does not work on such a PKCS#11 feature.

Nitrokey also suggested a security improvement that is not merged, yet. Right now the keyfile in a DO is not protected by a PIN it seems.

Encrypt data and emails: Encrypt your emails with GnuPG, OpenPGP, S/MIME, Thunderbird or Outlook. Encrypt entire hard drives using TrueCrypt/VeraCrypt, LUKS or individual files using GnuPG. Your private keys are securely stored in Nitrokey and cannot be exported/stolen.

It was the reason, why i bought this stick. Currently this stick is useless for me.

I’m new to this topic, but is there a chance that it works with the instructios for the Other Keys? According to the Product overview all keys support the required feature.