Yubico Forum

I understand some Yubikeys can be re-programmed to store a line of charictors but now TrueCrypt can support a pcks#11 library. I don't really understand what this means, but can this now support a regular Yubikey, by downloading a .dll file?

Thank you for your question about Yubikey and TrueCrypt and the second part of the question regarding the use of PKCS#11 support in TrueCrypt.

As you mentioned in your question you can use the Yubico personalization tool to configure your Yubikey to produce a fixed (randomized at the time of creation) password which you can use with TrueCrypt. Just remember that since Yubikey has only one button, once it is set up for fixed PW, then the fixed PW functionality replaces the OTP (One Time PW) functionality for that particular Yubikey. When TrueCrypt asks for the PW you simply point the cursor to the PW field and press the button on the Yubikey and the fixed password will be sent from the Yubikey and entered right into the PW field.

PKCS#11 is a standard and protocol stack commonly used by Smart Cards and PKI (Public Key Infrastructure). However, using PKCS11 requires a different set of infrastructure (more complex) compared to Yubikey. PKCS11 also requires drivers for each Smart Card reader that shall be used to work in preboot mode with TrueCrypt i.e. before the normal operating system is started. There are only very few drivers available to work in preboot mode so this is an issue when using PKCS#11 with TrueCrypt.

Yubikey on the other hand will work fine in preboot mode without drivers or any specific protocol stack installed The reason is that Yubikey emulates and looks like a USB keyboard to the BIOS (the system that starts your computer at boot time) so if your BIOS supports USB keyboards (most modern computers do today), then when you press the button on the Yubikey a string of characters (the Password) will be sent to the computer keyboard buffer in the same way as if you were inputting the characters manually from the regular keyboard. When TrueCrypt ask for the PW you simply point the cursor to the PW field and press the button on the Yubikey and the fixed password will be sent from the Yubikey and entered right into the PW field.

If the goal was to use a conventional Yubikey to secure a file, could it work like this?
Could a .dll be written to:
capture the Yubikey string,
secure a connection to a server,
that could verify the authenticity,
and return the result.
Then this .dll be used in TrueCrypt to allow or deny data access.

I understand the PKCS#11 uses card readers and drivers and returns a different kind of result.
But we don't need card readers, so we won't need drivers.
Also we would need a server to return the result, I don't know if Yubico or Verisign could provide this.
Unless the PKCS#11 protocol dosn't have the ability to set up a secure connection.

Main features of TrueCrypt Disk encryption software are:

1) Encrypts a partition or drive where Windows is installed (pre-boot authentication)
2) Creates a virtual encrypted disk within a file and mounts it as a real disk
3) Encrypts an entire partition or storage device such as USB flash drive or hard drive

For Pre-boot authentication, conventional YubiKey (emitting OTP) can not be used because, in pre-boot environment, the network service will not be available and hence it wouldn’t be possible to send the OTP for validation to the Yubico Validation Server over network. However, a YubiKey programmed (using Yubico personalization tool) to emit a fixed (randomized at the time of creation) password can be used with TrueCrypt pre-boot authentication.

For the second TrueCrypt feature, a conventional YubiKey can be potentially used, provided that the virtual encrypted volume is mounted upon user request after completion of the boot process and network connectivity is available. In this case, a DLL could be provided to authenticate the YubiKey OTP with Yubico Validation Server over network.

Similarly, for the third TrueCrypt feature, a conventional YubiKey can be potentially used provided that the hard disk or USB flash drive is mounted upon user request after completion of boot process and not automatically during the boot process.

Yubico is welcoming development of YubiKey enabled post-boot authentication for TrueCrypt. If you or someone reading this post is contemplating development of such a module, please let Yubico know about it in order to provide some technical help!