Yubico Forum

Hello!

I'm using TruCrypt under OS X and I'm looking for way to enhance my profile by use of Yubikey Neo. TC has option to require a user not only no provide password but also present keyfile, which might be stored on PKCS #11 Security Token for added security. At present time I use Aladdin eToken to store the keyfiles.

Can I use my new Yubikey NEO in this scheme? What setup should I do?

Is there any other way I can make my sec profile of using TrueCrypt better with Yubikey? I understand there's ability to use static password generation option of the key. I also understand reason to mix password which I know with static Yubikey output (which i have). But frankly I don't think it really increases security. The static password from Yubikey can be keylogged or otherwise ex-filtrated and then used.

Thanks and cheers!
Owl

I would recommend you to move away from True Crypt:

http://truecrypt.sourceforge.net/
http://security.stackexchange.com/quest ... still-safe

The closest recommendation I have is to move to veracrypt, which seems to be shepherded by competent developers. There are other replacements "in the works", but not much movement. http://veracrypt.codeplex.com

That being said, the same question applies to most/all forks of truecrypt, so I wouldn't close out on the question altogether.

B

Hi!

Thanks for your replies. To me moving away from TrueCrypt seems quite questionable. No doubt TC has number of advantages- it's open source, cross platform, it's been in use for long time, my guess that it might have the biggest number of users (I mean among 3rd parties products, not taking into account dmcrypt, BitLocker and FileVault which come with their respective OSes). It's been under very close attention, undergone independent audit (phase1) and now going through phase2.

Unfortunately it's discontinued, that's what does make me looking for alternatives. But I don't think it's broken. The biggest problem with TC found so far is relatively small number of iterations used in key derivation algorithm. But it can be compensated by applying even stronger passwords/paraphrases.

If I were a Win32 user I'd choose DiskCryptor (diskcryptor.net/wiki/Main_Page). But I'm on OS X and there's no DiskCryptor for this platform. Looking at those who does have Mac version, I would go after VeraCrypt fork of TC. The only thing that stops me- If you're on Mac you'll have to install OSXFUSE 2.3 which is a kind of filesystems emulator. And as any emulator it might be a source of extra errors and overhead. And the original TC 7.1a for Mac does not require any of those.

Any way, whether I'll end up using any TC fork or continue with TC itself - the initial question remains. Can I place keyfiles on Yubikey NEO?

The same question is equally important for, say KeepassX, which also allows for keyfile as second authentication factor.

My current newbie's understanding is that the only authentication algorithm that Yubikey NEO has, which is applicable to FDE software and alike is static string output. It's better than '123456' of cause but it's still not "something you have". It can be keyloged by the same malware that intercepts what you type on your keyboard, in particular. Keyfiles are not a magic bullet but I think they do increase security level, especially if put on isolated Token.