NitroKey with VeraCrypt and TrueCrypt

Just wanted to drop a line for others…the Nitrokey and VeraCrypt v.1.19 and TrueCrypt v6.3 play nicely using OpenSC x64 v0.16.0 Drivers. VeraCrypt placed the 64kb keyfile in what it referred to as “Private Data Object Slot 1” (PO1) and then pulls it successfully from the card when decrypting.

After using GnuPG to create my RSA4096 key, I tested the file encryption/decryption ability with the Nitrokey and when I was satisfied that it was reliable and working well, I turned my attention to VeraCrypt to run some tests on that too.

To replicate what I did for anyone who wants to increase their privacy/protection:

-Assign User PIN and Admin PIN using the Nitrokey app
-Create the RSA4096 key using the GnuPG command line interface tools on an offline computer
-Backup the public, private, secret keys to a USB drive and distribute the public and private keys to all your other computers that would ever need to decrypt your files that used GnuPG
-Remember that your secret key is still protected because you didn’t put that on all your other computers and the other computers still require the original Nitrokey to decrypt the files…also the secret key is backed up to an encrypted .gpg container on the offline computer and as far as I know it can only be opened by using the Nitrokey’s secret key…so essentially the backup is worthless because even if you open the container and copy the key out and save it elsewhere, you still need the Nitrokey because GnuPG wants the device when decrypting…although I may be wrong…still testing and tinkering…don’t hate me if I’m wrong and feel free to correct me
-After distributing the public and private keys, encrypt files as you wish into .gpg containers that are only able to be decrypted by the Nitrokey being plugged in and inputting the User PIN
-Install the latest OpenSC x64 v0.16.0 drivers and VeraCrypt which allows it to talk to the Nitrokey using the PKCS11 interface
-Generate a 64kb key using VeraCrypt and follow the program manual to save the keyfile to the Nitrokey
-The keyfile will be placed in “PO1” and VeraCrypt will use that slot by default from then on
-Don’t try to create a keysize larger than 64kb…it won’t save on the Nitrokey properly and VeraCrypt only looks at the first 64kbs anyway no matter how big you make the key…making one bigger than 64kb gains no added protection
-I then tested out TrueCrypt v6.3 (don’t use TrueCrypt v7.1 or 7.1a unless your operating system needs it)
-TrueCrypt looks at the same slot by default after setting up the OpenSC PKCS11 interface in the program settings also
-Now you can enjoy the peace-of-mind with 3 encrypted “layers” of open-source encryption using a single device!

Be sure to buy more Nitrokeys in case you lose the original because if you don’t then you lose access to your encrypted files! When you buy multiple Nitrokeys, encrypt all files using GnuPG with each Nitrokey’s public key (for example if you have 3 Nitrokeys then add each public key to every single encrypted file each time). When using VeraCrypt and TrueCrypt be sure to add the exact same keyfile to each Nitrokey to PO1 by default.

4 Likes

Does it work with Nitrokey Pro or just with the Nitrokey Storage?

Hi @Paulistano001 !

Nitrokey Pro and Nitrokey Storage both support the PDO feature, used in the Veracrypt/Truecrypt solution. Nitrokey Start does not so unfortunately.