PKCS#11 driver doesn't work in Windows 8


Trying to extract my keyfile (Private Object 3) from Cryptostick ver 1.2 using TrueCrypt 7.1a via OpenPGP11_32.dll module in Windows 8 x64. No success. After entering a PIN, I get an error “Security token error: FUNCTION FAILED”.

Is there any Win8-ready driver?


I’m not sure if the reason is Windows 8 or not. Could you create a debug log and send it to the author ?

Sorry, I can’t. Have no access to Windows 8 Pro x64 desktop at the moment. But I notified the developer about possible driver’s incompatibility. He told he’ll be able to verify the problem by himself no sooner than the end of the year.

Was this resolved in any way?

Windows 8 x64 is my main OS, and when I use the truecrypt tutorial I always get the error:


Security token error:



Could you try the new OpenSC framework 0.13 instead of Peter’s PKCS#11 driver? It is available for download here: … sc-0.13.0/

still no luck.
I installed it and browsed to the dll, gives this error:


Failed to initialize PKCS #11 security token library.
Please make sure the specified path and filename refer to a valid PKCS #11 library. To specify a PKCS #11 library path and filename, select ‘Settings’ > ‘Security Tokens’.


also if I try autodetect, it detects nothing.


No PKCS #11 library has been found in the Windows system directory.

Please make sure that a PKCS #11 library for your security token (or for your smart card) is installed (such a library may be supplied with the token/card or it may be available for download from the website of the vendor or other third parties). If it is installed in a directory other than the Windows system directory, click ‘Select Library’ to locate the library (e.g. in the folder where the software for the token/card is installed).


Could you try to load the PKCS#11 driver in Firefox, please? The menu path should be Settings -> Advanced -> Encryption -> Security Modules -> Load.

FYI, I installed OpenSC 0.13.0 x64 on Win7 x64 and got the same error in Truecrypt. It simply can’t find x64 dll no matter what path you enter. But you can install OpenSC 0.13.0 x32 on your x64 system, and it would work. But then the other problem appears in TrueCrypt: OpenSC PKCS#11 module asks for a PIN twice in a row (User one and undetermined one) and always returns an error “Incorrect PIN”. Firefox demonstrates the very same behavior.

So, still no working solution for Win8 x64 (and OpenSC driver doesn’t work properly, at least straight out of the box).

[size=85]Sorry for my English.[/size]

Did you try to enter the User PIN twice? You can verify which PIN you entered wrongly by executing “gpg --card-status” afterwards and see if either the User or Admin PIN counter has been decreased from 3. The PKCS#11 dialog boxes may ask for different PIN identifiers than used by the Crypto Stick and this method may reveal which PIN is actually required. Be carefull not to lock your Crypto Stick irrecoverably by entering a wrong Admin PIN three times.

It seem that OSC x64 dll module can’t be loaded in any Windows x32 application, that makes sense.

As for PINs, I tried what you’d suggested. Both PINs are actually the same User PIN. I downloaded and installed the latest OSC x32 build again, and the ‘Incorrect PIN’ error disappeared (don’t know why, did nothing with my OS). BUT after entering the correct User PIN in both prompts, TrueCrypt shows that there is no existing keyfile (token object) on my CryptoStick. All works fine with dll module by Peter Koch, though.

If it matters, the first PIN prompt (spelling preserved ) is
Enter password/PIN for token 'OpenPGP card (User PIN
the second one is
Enter password/PIN for token 'OpenPGP card (User PIN):

I’m not a very sophisticated IT guy, may be it’d be better if someone of CryptoStick or OpenSC developers will try to reproduce and solve this issue.

To me it seems to be a TrueCrypt “issue” - which may not be an issue. AFAIK TrueCrypt doesn’t use the proper encryption feature of smart cards (and the Crypto Stick). Instead it stores the password in plain on the password protected device. This may be the “keyfile” you are mentioning. I suggest you search how to use TrueCrypt with smart cards and it should teach you how to setup and use the device with TrueCrypt.

TrueCrypt stores a keyfile within CryptoStick DO3 (Data object 3), which can be extracted (and eavesdropped by malware) in “plain” format only after entering a User PIN. Till then it’s encrypted and not accessible. It suits my needs well enough.

As I mentioned before, Peter’s dll works fine. I generated TrueCrypt keyfile filled with randoms and saved it to CryptoStick exactly by its (TrueCrypt) manual. It works just like it should be. One of the OSC console utilities also says that DO3 (my keyfile) do exist onto my stick. The only problem’s with OSC PKCS#11 dll. I don’t have any expertise in debugging stuff like that, it will be more easier if you just try to reproduce and (not)confirm the issue by yourself.

And, yeah, Firefox 17/18 do the same thing: 2 PINs to enter, no X.509 certificate on the stick found (although I have AUTH one to authorize on some websites which, again, works with Peter’s dll like a charm).

PS. I’m talking about Windows 7 x64, not Win 8.

Jans, may be this forum isn’t the right place for troubleshooting a third party software, like OpenSC? Wouldn’t it be more efficient to report a bug directly to OpenSC Project, how do you think? Or do the CryptoStick developers have a special relationship with OSC Project, through having a commercial agreement for adapting OSC with CryptoStick for instance? What’s the best, fastest way to draw the developers in digging into this issue?


So that’s how €60 product support works :wink:.

Guys, you have a pretty nice hardware here, but without end-user software essentials it’s just an iron rock. I mean, you still don’t even have a fully functional PKCS#11 cross-platform software support - the vital stuff, but have already been trying to assemble the next version of SC - v2. What about users and money they paid for your previous work?

Yes, OpenSC project may be the right place to discuss this issue.

Which key length are you using? In doubt 2048 bit should work best.

We provide you free support in our spare time. So don’t expect turn around times like with an enterprise gold level support contract.

Jans, I’ve filed the issue here, but don’t see any progress there, not even a bit of attention at all. Is it possible I chose the wrong place again? :frowning:

I think its the right place for an issue. I will try to get the developer looking into it but it may take some more time. Stay tuned…

Thank you, Jans. Feel free to contact me if some debug info is needed.

Indeed some development is needed to fix this issue. Our developer is working on it. Communication will be done in the issue

TrueCrypt shows that there is no existing keyfile (token object) on my CryptoStick