3

I want to encrypt and decrypt a file system container file with luks and a smartcard on debian linux.

The smartcard is a Nitrokey Start which is basically a compact smartcard in a usb reader.

I know how to create and mount a container file with dd, cryptsetup and a key file. But I can't figure out how to use a smart card instead of a key file.

I read something about that this is not possible because you can't read the key from the smartcard.

So did I understand this right, I have to:

  • create a container
  • generate a key file
  • use cryptsetup and the key file to encrypt the container
  • use the smartcard to encrypt the key file
  • delete the not encrypted key file

And every time I want to decrypt ant mount the container I have to:

  • decrypt the key file with the smartcard
  • decrypt the container with the decrypted key file
  • delete the not encrypted key file

Is this correct? Are there any better ways to achieve HDD (or file system container) encryption with a smartcard?

Note: I'm not bound to cryptsetup and luks, so if there are any better tools out there to achieve my goal, please tell me.

soulflyman
  • 131
  • 5
  • It would be insecure to actually write the unencrypted key to your HDD. You would pipe the output directly to luks so that it is only ever decypted in memory: 'pkcs15-crypt --decipher --input /tmp/encryptedkey.pkcs1 --pkcs1 --raw | cryptsetup --key-file=- luksOpen /dev/sdb1' – HackSlash Jan 26 '18 at 17:15
  • Instead of using a key file you could use a "password". This way invoking cryptsetup isn't much different from using an ordinary password. Obviously the password should be long and random and doesn't need to be rememberable. Hence, you could get it from /dev/random. You would store the encrypted password as you describe storing an encrypted key file. – jans Jan 29 '18 at 19:45

1 Answers1

1

Looks like you can load external keys on to the Nitrokey with a GPG command called "keytocard"

  1. generate key file
  2. copy key file to Nitrokey (keytocard)
  3. secure erase key file from HDD
  4. use key file on the Nitrokey to encrypted\decrypt as normal

There are many options for encrypted containers with VeraCrypt being the easiest to use.

Here is the official documentation for Nitrokey: https://www.nitrokey.com/documentation/applications#p:nitrokey-start&os:linux&a:hard-disk-encryption

If you already have a container that is encrypted with a key, just copy that one, test it and if it works from the Nitrokey just secure erase the copy on the HDD. Now the only copy left is on the key.

(You might want a backup)

HackSlash
  • 287
  • 4
  • 15
  • I realy tried, but maybee my question wasn't clear enough. I have no Problem in putting keys onto the Nitrokey. It is Step4 that I can't follow. "4. use key file **on the Nitrokey** to encrypted\decrypt **as normal**" So how do I do that? With a key file the cryptsetup command looks like this: `cryptsetup luksOpen --key-file luks-key.txt /dev/loop0 container1` But there is no such thing like: `cryptsetup luksOpen --smart-card key-slot1 /dev/loop0 container1` – soulflyman Jan 26 '18 at 15:48
  • @soulflyman Ok, I see. There are instructions on how to do this within the Nitrokey documentation. See my edit above. – HackSlash Jan 26 '18 at 17:21
  • I understand the term "key file" in this discussion is inspired by TrueCrypt/VeraCrypt where it describes a file containing a symmetric secret to decrypt an encrypted volume. However, GnuPG's ```keytocard``` command can be used to import RSA and ECC keys to the Nitrokey device. Using "key file" in conjunction with GnuPG's "keytocard" is misleading. – jans Jan 29 '18 at 19:35
  • They are all keys in files. You can put all sorts of key files on a Nitrokey. – HackSlash Jan 29 '18 at 21:04