Clearly, Yubikey doesn't have this functionality and so the only possible way is to rely on existing data objects that contain sufficiently unique content to be used as keyfile: if such data object doesn't exist, then Yubilye can't be used.First YubiKey USB token of the FIDO standard in 2014. In VeraCrypt, we suppose that compatible smart cards and tokens provide the functionality of importing data objects into them. If you notice that its size is too small (less than 64 bytes) or that its content is not sufficiently unique, then you can't use it as a secure keyfile.
And then, open the exported file using a tool like HxD to explore its binary content. The only thing is that you must check that its content is sufficiently unique/random so that it can't be easily guessed by an attacker.įor that you can use the export button to export the content of this object fo a file (you should export inside a mounted VeraCrypt volume to keep the content secure). This must be a limitation of their hardware and we can't do much about it.Ĭoncerning the "cardholder fingerprints", it should work since it is listed. Ok, it looks like Yubikey doesn't allow storing arbitrary data on it. Once these steps done, you can select this keyfile from within the Volume Creation wizard when creating a volume. Then, use the menu "Tools -> Managed Security Token Keyfiles" to import the generated keyfile into the Yubikey.Īfter that, security erase the keyfile from the disk (As I said above, it is advised to store the keyfile in a mounted VeraCrypt volume since securely erasing keyfile from mounted VeraCrypt volume is more reliable than securely erasing it from a standard disk). The steps to achieve this are easy.įirst, use the menu "Tools -> Keyfile generator" to create a random keyfile and store it on disk (ideally it should be stored in a mounted VeraCrypt volume to avoid leaking keyfile content). That being said, it is advised to create a dedicated keyfile using VeraCrypt keyfile generator and then import it into your Yubikey in order to use a keyfile. For example, "Printed Information" doesn't seem to be a good candidate but "Cardholder fingerprints" looks better. You just need to be sure that the information they contain is not publicly available or can be deduced by someone else.
Any of the presented objects can be selected as a keyfile since they are protected by PIN.
0 kommentar(er)
