veracrypt / VeraCrypt-DCS

VeraCrypt EFI Bootloader for EFI Windows system encryption (LGPL)
GNU Lesser General Public License v3.0
136 stars 60 forks source link

Smart card keyfile implementation for VeraCrypt-DCS #29

Open thomasnet-mc opened 3 years ago

thomasnet-mc commented 3 years ago

Hello,

I seen DCS has support for sending APDUs over to a smart card reader, and I'd be interested in adding more support for smart cards, hopefully up to being able to fetch a keyfile registered by VeraCrypt.

It's my first project with smart cards, so please feel free to correct me if I say anything wrong. The way I'm thinking of doing it is by bypassing the need for a PKCS#11 interface and directly using ISO 7816-4 APDUs to login with a PIN entered by the user, and then fetching the keyfile from the card.

Maybe the VeraCrypt app could set the file ID corresponding to the keyfile it registered in the DCS config?

I'll try more things when I actually get a keycard, though!

MADXhh commented 3 years ago

+1

That sounds good! I would be very happy about this feature!

kavsrf commented 3 years ago
  1. There is possibility to save master key to flash => data and keys are separate.
  2. Master key is protected by password, pim and key from TPM + serials of target platform. Smart card can add small improvement – the key form SC is not possible to retrieve. It is not very important – imho.