Yubikey as a storage for Veracrypt keyfile

There was a quite fresh discussion and no “how to ways” had been provided, but a way exists. Below is a Linux example.

a. You have installed and working Veracrypt software

b. You have an YubiKey and installed either YubiKey Personalization Tool or YubiKey Manager. Make sure you can run those software under average user account and YubiKey software can detect your Yubikey dongle properly

c. Also make sure you can run

# yubico-piv-tool -a status

and no error output is produced

d. Veracrypt can read Yubikey data via OpenSC. I can recommend to download OpenSC source code to build and install OpenSC library from scratch. Have a note OpenSC and therefore Veracrypt can’t write any information to Yubikey

e. Set the path to OpenSC library

d. Generate and save a keyfile

e. Convert the generated key file to the base64 formatted file

# base64 keyfile.dat > keyfile.dat.base64

g. Veracrypt detects valid following slots for Yubikey

Let’s choose Cardholder Facial Image slot and find it’s ID. Refer to yubico-piv-tool

Supported PIV Object IDs

Type of Object DataASN.1 OIDID
Card Capability Container2.16.840.1.101.3.7.1.219.00x5fc107
Card Holder Unique Identifier2.16.840.1.101.3.7.2.48.00x5fc102
X.509 Certificate for PIV Authentication2.16.840.1.101.3.7.2.1.10x5fc105
Cardholder Fingerprints2.16.840.1.101.3.7.2.96.160x5fc103
Security Object2.16.840.1.101.3.7.2.144.00x5fc106
Cardholder Facial Image2.16.840.1.101.3.7.2.96.480x5fc108
X.509 Certificate for Card Authentication2.16.840.1.101.3.7.2.5.00x5fc101
X.509 Certificate for Digital Signature2.16.840.1.101.3.7.2.1.00x5fc10a
X.509 Certificate for Key Management2.16.840.1.101.3.7.2.1.20x5fc10b
Printed Information2.16.840.1.101.3.7.2.48.10x5fc109

h. Let’s upload your keyfile to the Cardholder Facial Image slot with ID=0x5fc108

# yubico-piv-tool -a write-object -k --id 0x5fc108 -i keyfile.dat.base64 -f base64

Here you will be asked for your Yubikey’s management key and it’s a pity if you’ve lost it. No output errors mean keyfile is uploaded successfully.

Preparation part is done. Refer to the Veracrypt help how to use security token.

P.S.

Password extraction.

# pkcs11-tool -p yubikey-pin --application-id 2.16.840.1.101.3.7.2.96.48 --read-object --type data