Hard Disk Encryption

Compatible Nitrokeys

3A/C/Mini

Passkey

HSM 2

Pro 2

FIDO2

Storage 2

Start

U2F

active

inactive

active

active

inactive

active

active

inactive

VeraCrypt (formerly TrueCrypt)

VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU+Linux. It is the successor of TrueCrypt and thus recommended, although the following instructions should apply to TrueCrypt as well.

Follow these steps to use the program with Nitrokey Storage 2 or Nitrokey Pro 2:

  1. Install the latest release of OpenSC, or download the PKCS#11 library.

  2. Choose the library in VeraCrypt under Settings>Preferences>Security Token (location depends on system, e.g. /usr/lib/opensc).

  3. Generate a 64 Byte key file via Tools>Keyfile Generator.

  4. Now you should be able to import the generated key file via Tools>Manage Security Token Keyfiles. You should choose the first Slot ([0] User PIN). The keyfile is then stored on the Nitrokey as ‘Private Data Object 1’ (PrivDO1).

  5. After this you should wipe the original keyfile on your Computer securely!

  6. Now you can use VeraCrypt with the Nitrokey: Create a container, choose the keyfile on the device as an alternative to a password.

Warning

Security Consideration

Please note that VeraCrypt doesn’t make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the PIN.

Note: Aloaha Crypt is based on TrueCrypt/VeraCrypt but without the described security limitation.

Hard Disk Encryption on GNU+Linux with LUKS/dm-crypt

For setting up LUKS Disk Encryption follow our guide:

Purism has created a simple script to add the Nitrokey/LibremKey as a way to unlock LUKS partitions (not tested by Nitrokey yet).

This project aims to ease the use of LUKS with the Nitrokey Pro or Storage based on the Password Safe (not tested by Nitrokey yet). A description on how to use it on Gentoo can be found here.

For Arch Linux, see initramfs-scencrypt.

Storage Encryption on GNU+Linux with EncFS

EncFS is an easy to utlity for encrypted file systems and it is based on FUSE. You may follow these steps to use it with very long passwords and Nitrokey Pro 2:

Initialization

  1. Create a key file with random data:

    $ dd bs=64 count=1 if=/dev/urandom of=keyfile
    
  2. Encrypt the key file and use the User-ID of your Nitrokey

    $ gpg --encrypt keyfile
    
  3. Remove the key file in clear text:

    $ rm keyfile # you may want to use 'wipe' or 'shred' to securely delete the keyfile
    
  4. Create mount point:

    $ mkdir ~/.cryptdir ~/cryptdir
    
  5. Create the actual encryption folder

    $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir
    # There may appears an error message about missing permission of fusermount
    # This message can be ignored
    
  6. Unmount the new file system:

    $ fusermount -u ~/cryptdir
    

Usage

  1. Mount encrypted file system and enter PIN of Nitrokey:

    $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir
    
  2. After usage, unmount the file system:

    $ fusermount -u ~/cryptdir
    

Storage Encryption on GNU+Linux with ECryptFS

eCryptfs is a file based transparent encryption file system for GNU+Linux which can be used with Nitrokey through a PKCS#11 driver.

See these instructions:

  1. Import the certificate and key to the Nitrokey

    # Warning: This will delete existing keys on your Nitrokey!
    $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin
    
  2. Create the file ~/.ecryptfsrc.pkcs11:

    $ editor ~/.ecryptfsrc.pkcs11
    
  3. Enter this content:

    $ pkcs11-log-level=5 pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true
    $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module
    Certificate
        DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com
        Serial: 066E04
        Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03
    
  4. Copy the serialized id for later usage:

    $ ecryptfs-manager
    # This will show list option. Choose option "Add public key to keyring"
    # Choose pkcs11-helper
    # Enter the serialized ID of step 3 to PKCS#11 ID.
    

Alternatively, try ESOSI or follow these steps using OpenSC and OpenVPN.

Source of the guide: https://www.nitrokey.com/documentation/applications#a:hard-disk-encryption