Hallo,
ich habe folgendes Problem unter Ubuntu 18.04. :
Wenn ich eine Schlüsseldatei auf dem Nitrokey Storage speichern möchte, erscheint die Fehlermeldung
“Security Token error: GENERAL ERROR”.
Ich habe es auch unter Windows 10 mit Veracrypt 1.24. Update 2 und opensc-pkcs11 0.21.0-1 probiert. Dort konnte ich die erzeugte Schlüsseldatei auf dem Nitrokey abspeichern.
Unter Linux lässt sich die Schlüsseldatei auf dem Nitrokey auch für Veracrypt-Container ohne Probleme verwenden (die Bibliothek opensc-pkcs11 0.21.0-1 scheint also in Ordnung zu sein). Leider funktioniert das abspeichern und ändern der Schlüsseldateien aber nicht.
Da ich nicht immer Zugriff zu einem Windows System habe, müsste ich den Fehler unter Linux finden und beheben.
Daher die Frage was in diesem Fall das Problem sein könnte ?
Apologies for replying in English, while I know some Deutsch it would take me inordinate amount of time to reply as I don’t use it actively so hopefully this would be helpful anyway.
This is weird, but somehow I haven’t got the notification email with your reply and I haven’t logged in to the forum for a while, relying on the email and therefore thinking there’re no topics for me to participate in… @Saptha, is this still actual? I can try to reproduce if yes.
Hello, thanks for your reply .
Yes the issue is still actual as I have described, I have not find a solution yet. I would very appreciate a solution. As a “VeraCrypt Poweruser” it would be very helpful to use the Nitrokey
Okay, I’ve got my Ubuntu 18.04 VM ready, but I see that version has OpenSC 0.17 only - 0.21.0-1 that you report seems to have appeared only in 21.04. How did you install OpenSC?
I have downloaded the newest version (at this time) 0.21.0-1 as .deb package: https://debian.pkgs.org/11/debian-main-arm64/opensc-pkcs11_0.21.0-1_arm64.deb.html
I have installed the package, then I checked the Installtion with: apt list --installed | grep -i opensc
In Veracrypt I choosed: /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so as library under “Security Tokens”.
I created a keyfile (64 bit SHA-512) and tried to save it on the Nitrokey with the VeraCrypt function “Manage Security Tokens”, then I got the error
All right, I’ve found the root cause for this one. So the reason is that the opensc-pkcs11 package doesn’t have all the necessary files for the functionality used by the VC to work (pkcs15 emulation). Specifically, OpenSC module tries to find the so-called pkcs15 profile file, but it’s not available, so it fails with that generic error. You can observe that by setting the OPENSC_DEBUG env variable before starting VC (this is BTW a useful technique for troubleshooting OpenSC-related problems):
test@test-VirtualBox:~$ OPENSC_DEBUG=9 veracrypt
<...>
P:3983; T:0x139750286469760 16:30:14.730 [opensc-pkcs11] profile.c:336:sc_profile_load: called
P:3983; T:0x139750286469760 16:30:14.731 [opensc-pkcs11] profile.c:356:sc_profile_load: Using profile directory '/usr/share/opensc'.
P:3983; T:0x139750286469760 16:30:14.731 [opensc-pkcs11] profile.c:364:sc_profile_load: Trying profile file /usr/share/opensc/pkcs15.profile
P:3983; T:0x139750286469760 16:30:14.731 [opensc-pkcs11] profile.c:369:sc_profile_load: profile /usr/share/opensc/pkcs15.profile loaded ok
P:3983; T:0x139750286469760 16:30:14.731 [opensc-pkcs11] profile.c:373:sc_profile_load: returning with: -1201 (File not found)
P:3983; T:0x139750286469760 16:30:14.732 [opensc-pkcs11] pkcs15-lib.c:376:sc_pkcs15init_bind: Failed to load profile 'pkcs15': File not found
P:3983; T:0x139750286469760 16:30:14.732 [opensc-pkcs11] pkcs15-lib.c:393:sc_pkcs15init_bind: Load profile error: -1201 (File not found)
P:3983; T:0x139750286469760 16:30:14.733 [opensc-pkcs11] card.c:523:sc_unlock: called
P:3983; T:0x139750286469760 16:30:14.733 [opensc-pkcs11] reader-pcsc.c:736:pcsc_unlock: called
P:3983; T:0x139750286469760 16:30:14.739 [opensc-pkcs11] misc.c:86:sc_to_cryptoki_error_common: libopensc return value: -1201 (File not found)
<...>
That file is packaged in the opensc package, so you’d need to download and install that one as well. However there’s a catch - Debian 11 opensc package (if we follow with the repo you used) depends on libreadline8 library, which is not available on Ubuntu 18.04 and therefore the package installation fails, unless you use --ignore-depends option for dpkg, which brings us further into the danger zone of manually installed cross-distro-version packages, but works for this specific use case (I haven’t tested whether the CLI utils packaged there would work).
After that on my test setup I’m able to save the keyfile into the token and use it for mounting without problems. So that’s the reason and a fix for the problem you observe, though this kind of manually installed packages may be a pain later on due to version mismatches, so be warned.
Thank you very much for your help and effort for finding the solution.
I will try it out myself, if the keyfile is saved the decryption should work. So if I have problems in the future to save new keyfiles, if I update my OS, I should still be able to decrypt my existing containers.
So I think in practice it will help me a lot.
My pleasure, glad to help. BTW, you might want to go to 0.22 released recently, it has a fix for keyfile-related functionality bug that was discussed in this thread: VeraCrypt encryption with Nitrokey error and may be an inconvenience.
so hopefully this would be helpful anyway.
