Hard Disk Encryption#
(Nitrokey HSM 2 - Linux)
VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU+Linux. It is the successor of TrueCrypt and thus recommended, although the following instructions should apply to TrueCrypt as well.
Choose the library in VeraCrypt under Settings>Preferences>Security Token (location depends on system, e.g.
Generate a 64 Byte key file via Tools>Keyfile Generator.
Now you should be able to import the generated key file via Tools>Manage Security Token Keyfiles. You should choose the first Slot (
 User PIN). The keyfile is then stored on the Nitrokey as ‘Private Data Object 1’ (
After this you should wipe the original keyfile on your Computer securely!
Now you can use VeraCrypt with the Nitrokey: Create a container, choose the keyfile on the device as an alternative to a password.
Please note that VeraCrypt doesn’t make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the PIN.
Note: Aloaha Crypt is based on TrueCrypt/VeraCrypt but without the described security limitation.
Purism has created a simple script to add the Nitrokey/LibremKey as a way to unlock LUKS partitions (not tested by Nitrokey yet).
For Arch Linux, see initramfs-scencrypt.
Please ensure that you installed the device driver, changed the default PINs and generated or imported keys with GnuPG.
Create a key file with random data:
$ dd bs=64 count=1 if=/dev/urandom of=keyfile
Encrypt the key file and use the User-ID of your Nitrokey
$ gpg --encrypt keyfile
Remove the key file in clear text:
$ rm keyfile # you may want to use 'wipe' or 'shred' to securely delete the keyfile
Create mount point:
$ mkdir ~/.cryptdir ~/cryptdir
Create the actual encryption folder
$ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir # There may appears an error message about missing permission of fusermount # This message can be ignored
Unmount the new file system:
$ fusermount -u ~/cryptdir
Mount encrypted file system and enter PIN of Nitrokey:
$ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir
After usage, unmount the file system:
$ fusermount -u ~/cryptdir
eCryptfs is a file based transparent encryption file system for GNU+Linux which can be used with Nitrokey through a PKCS#11 driver.
See these instructions:
Import the certificate and key to the Nitrokey
# Warning: This will delete existing keys on your Nitrokey! $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key email@example.com --format pkcs12 --auth-id 3 --verify-pin
Create the file ~/.ecryptfsrc.pkcs11:
$ editor ~/.ecryptfsrc.pkcs11
Enter this content:
$ pkcs11-log-level=5 pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module Certificate DN: /description=Iv4IQpLO02Mnix9i/CNfirstname.lastname@example.org/emailAddressemail@example.com Serial: 066E04 Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03
Copy the serialized id for later usage:
$ ecryptfs-manager # This will show list option. Choose option "Add public key to keyring" # Choose pkcs11-helper # Enter the serialized ID of step 3 to PKCS#11 ID.
Alternatively, try ESOSI or follow these steps using OpenSC and OpenVPN.
Source of the guide: https://www.nitrokey.com/documentation/applications#a:hard-disk-encryption