I have my Nitrokey 3 setup as OpenPGP card. Among other things, I wanted to store an VeraCrypt keyfile as described here: Hard Disk Encryption - Nitrokey Documentation
I installed OpenSC and added it as PKCS#11 library to VeraCrypt. Importing the keyfile to VeraCrypt works as described, and I can see it as PrivDO1 with the token OpenPGP card (User PIN).
HOWEVER, there is a massive security issue! The keyfile is not protected by the PIN that I set for the card. It can be read without any authentication using e.g. openpgp-tool from OpenSC:
openpgp-tool.exe -d 1
Using reader with a card: Nitrokey CCID/ICCD Interface 0
69 D6 4D 55 6D BC 87 65 AF 26 55 99 31 39 A9 92 i.MUm..e.&U.19..
66 75 23 C1 CD 7E 60 15 42 4A 60 3A 22 9E 5A E1 fu#..~`.BJ`:".Z.
C0 EC 85 DF C3 EF A0 01 6B A9 46 F4 DC 96 63 9C ........k.F...c.
E7 31 44 B0 ED 2D 1D 87 D9 F9 11 5A 52 6B F8 6D .1D..-.....ZRk.m
… or gpg --edit-card:
gpg --edit-card
Reader ...........: Nitrokey CCID/ICCD Interface 0
Application ID ...: D276000124010304000FE16B14F70000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Nitrokey
Serial number ....: [redacted]
Name of cardholder: [redacted]
Language prefs ...: [nicht gesetzt]
Salutation .......:
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Private DO 1 .....: i\xd6\x4dUm\xbc\x87e\xaf&U\x9919\xa9\x92fu#\xc1\xcd~`\x15BJ`:"\x9eZ\xe1\xc0\xec\x85\xdf\xc3\xef\xa0\x01k\xa9F\xf4\xdc\x96c\x9c\xe7\x31D\xb0\xed\x2d\x1d\x87\xd9\xf9\x11ZRk\xf8\x6d
This obviously defeats the purpose of putting the keyfile on the Nitrokey. Note that I unplugged the Nitrokey to clear any cached PINs.
Please advise how to secure the VeraCrypt keyfile on the Nitrokey with the PIN (or don’t advertise this feature in your documentation).
