VeraCrypt encryption with Nitrokey error

Nitrokey Support
#1

I am trying to use the Nitrokey Pro 2 to serve as authentication for Veracrypt containers following these directions. When using PKCS#11 library, I am unable to store the generated Keyfile in Slot ([0] User PIN), only Slot 2 which, while does allow the use of the Nitrokey to decrypt containers, doesn’t require the use of the PIN so all that’s required is the Nitrokey is plugged into the computer. Not ideal, but certainly convenient!

When I went back and tried to use OpenSC, I was (eventually) able to find the right .so file and proceed with the Keyfile generation. When I went to import the keyfile, Slot 0 and Slot 1 were both available! However, even the 64 bit keyfile returned the following error:

The security token does not have enough memory/space to perform the requested operation.

If you are attempting to import a keyfile, you should select a smaller file or use a keyfile generated by VeraCrypt (select 'Tools' > 'Keyfile Generator').

I’m unsure what to do at this point. I’m assuming that means that I cannot use any file in Slot 0. Out of curiosity, I also tried to use a text file of the exported public key that is already on my Nitrokey and it returned the same error.

Ideally, I’d like to be able to have a VeraCrypt container that can be decrypted using the Nitrokey with the input of my PIN, but if I can’t use the PIN I guess just the Nitrokey alone will suffice.

Any suggestions would be appreciated!

#2

The “keyfile protected by the PIN” part should be addressed within https://github.com/veracrypt/VeraCrypt/issues/689 (though there seems to be no easy way given the limitations).

As for the other part (storing the keyfile) - I personally had no troubles doing that on Pro and Windows 10 using OpenSC-provided PKCS#11 lib. Care to describe your actions step by step to see what could be wrong here?

#3

Yeah for sure! This is all with my Nitrokey Pro 2 plugged in.

  1. In VeraCrypt, I go to Settings > Security Tokens and select /the/filepath/to/opensc-pksc11.so (I assume that opensc-pksc11.so is the right file, it matches the format for the regular pksc11 file but this could be the issue and I just need to know the right replacement.)
  2. Tools > Keyfile Generator and use the default settings (Mixing PRF is set to SHA-512, Number of keyfiles is 1, Keyfile size in bits is 64) and save.
  3. Tools > Manage Security Token Keyfiles and select the keyfile

I then get the error mentioned above that the security token doesn’t have enough memory/space.

This ONLY occurs when I have the opensc-pksc11.so selected in step 1 and am trying to set it to Slot [0] or Slot [1]in step 3 (the only slots available to me when I use the opensc-pksc11.so). If I use the regular PKSC#11 library .so (also mentioned in the Nitrokey applications section) I’m only able to select Slot [2], which lets the same file be used without the error.

If there’s any other information that will help, please let me know! I’m using the latest Nitrokey firmware, VeraCrypt 1.24-Update4, and am doing this on a System76 laptop running Pop_Os (their version of Ubuntu 20.04).