PKCS#11 support

[Yannovitch]

Hello,

I really, really would like to have PKCS#11 support in Yubikey and I understand it's possible to achieve that as stated in many posts on Yubico forums and website. However I don't see it achieved anywhere so I'm looking for some ideas where to begin ?

Please help, even if just to drop quick and basic ideas.

Y

[klali]

Hello,

Typically PKCS11 support with the Neo is achieved with a different applet than the openpgp applet. Yubico has a PIV applet (not opensource) that is loaded on recent Neos. PKCS11 with this applet might be possible if the applet is made compatible with opensc (issue #4)

I'm closing this as I believe it's off-topic for the issue tracker, please use the forums for questions and the issue tracker for more concrete things.

/klas

[jas4711]

Let me add that PKCS#11 via OpenPGP is achieved using Scute: http://www.scute.org/

There shouldn't be any problem using the NEO with OpenPGP as a PKSC#11 module via Scute, as it behave like any other OpenPGP card.

I hope the link to Scute will help! Let us know if you manage to get anything to work. We could write a small doc file about it, if there is anything in particular to keep in mind.

/Simon

[jas4711]

Then using the PIV applet together with OpenSC's PKCS#11 driver is another option. Or bring up this use-case to the Scute developers, and discuss with them?

/Simon

[Yannovitch]

Hello, Now that I got a Yubikey Neo last generation, I would like to use the PIV applet with OpenSC for PKCS11 authentication into VeraCrypt (fork of TrueCrypt) to force the need of a Yubikey to decrypt my Volume. My Yubikey & PIV applet is recognized by the OpenSC library that I specify in VeraCrypt. However, when I try to use the opensc-pkcs11 library with Yubico inside VeraCrypt, I have an error saying "function not supported". Reading on your forum http://forum.yubico.com/viewtopic.php?p=7166&sid=958cdb2de8b74e2320955704d3765a12#p7166, I understand the problem come from OpenSC as it doesn't support objects like keyfiles. I read on this post that there exist a PKCS11 library with OpenPGP. Do you know something about this option ?

Thanks, Y

[klali]

Hello,

This is a bugtracker for the openpgp applet of the Neo, for support requests you'll be better off with the forum or Yubico support. However, it's very unlikely you'll want to use pkcs11 support with truecrypt, it breaks many assumptions about smartcards.

edit: and as Simon wrote above, http://www.scute.org/ is a pkcs11 library for use with openpgpcard.

/klas

[mouse07410]

Klas,

I'd like to hear your opinion why you think that TrueCrypt with PKCS11 would break any assumptions about smart cards. I know that PIV and CAC cards are used to secure files - so why not file systems? And I think that there's a way to make BitLocker and FileVault-2 to unlock the drive via CAC...

Now this seems PIV applet-related rather than OpenPGP-related (though one probably can unlock flesh and file systems with PGP as well as with PIV?), so perhaps the OP chose a less-than-perfectly fitting mailing list to ask his question...

Sent from my iPad

On Apr 22, 2015, at 02:36, Klas Lindfors notifications@github.com<mailto:notifications@github.com> wrote:

Hello,

This is a bugtracker for the openpgp applet of the Neo, for support requests you'll be better off with the forum or Yubico support. However, it's very unlikely you'll want to use pkcs11 support with truecrypt, it breaks many assumptions about smartcards.

/klas

— Reply to this email directly or view it on GitHubhttps://github.com/Yubico/ykneo-openpgp/issues/17#issuecomment-95047553.

[klali]

So, the reason I think TrueCrypt's PKCS11 support breaks assumptions is that it uses data objects to store a key, instead of using crypto in the card. Used that way there's no difference between a usb drive and a smart card, except the smart card is alot clunkier to use. There's nothing wrong with doing filesystem encryption with (to?) a smartcard like bitlocker or similar, the problem here lies in truecrypt.