diff options
Diffstat (limited to 'doc/html/Keyfiles in VeraCrypt.html')
| -rw-r--r-- | doc/html/Keyfiles in VeraCrypt.html | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/doc/html/Keyfiles in VeraCrypt.html b/doc/html/Keyfiles in VeraCrypt.html index c64773b4..5a07bf48 100644 --- a/doc/html/Keyfiles in VeraCrypt.html +++ b/doc/html/Keyfiles in VeraCrypt.html @@ -1,75 +1,74 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title> <meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/> <meta name="keywords" content="encryption, security"/> <link href="styles.css" rel="stylesheet" type="text/css" /> </head> <body> <div> -<a href="https://www.veracrypt.fr/en/Home.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a> +<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a> </div> <div id="menu"> <ul> <li><a href="Home.html">Home</a></li> <li><a href="/code/">Source Code</a></li> <li><a href="Downloads.html">Downloads</a></li> <li><a class="active" href="Documentation.html">Documentation</a></li> <li><a href="Donation.html">Donate</a></li> <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li> </ul> </div> <div> <p> <a href="Documentation.html">Documentation</a> <img src="arrow_right.gif" alt=">>" style="margin-top: 5px"> <a href="Keyfiles%20in%20VeraCrypt.html">Keyfiles</a> </p></div> <div class="wikidoc"> <h1>Keyfiles</h1> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> <br style="text-align:left"> Keyfile is a file whose content is combined with a password (for information on the method used to combine a keyfile with password, see the section <a href="Keyfiles.html" style="text-align:left; color:#0080c0; text-decoration:none.html"> Keyfiles</a> in the chapter <a href="Technical%20Details.html" style="text-align:left; color:#0080c0; text-decoration:none.html"> Technical Details</a>). Until the correct keyfile is provided, no volume that uses the keyfile can be mounted.</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> You do not have to use keyfiles. However, using keyfiles has some advantages:</div> <ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> <li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px"> May improve protection against brute force attacks (significant particularly if the volume password is not very strong). </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px"> Allows the use of security tokens and smart cards (see below). </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px"> Allows multiple users to mount a single volume using different user passwords or PINs. Just give each user a security token or smart card containing the same VeraCrypt keyfile and let them choose their personal password or PIN that will protect their security token or smart card. </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px"> Allows managing multi-user <em style="text-align:left">shared</em> access (all keyfile holders must present their keyfiles before a volume can be mounted). </li></ul> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> -Any kind of file (for example, .txt, .exe, mp3**, .avi) can be used as a VeraCrypt keyfile (however, we recommend that you prefer compressed files, such as .mp3, .jpg, .zip, etc). <br style="text-align:left"> <br style="text-align:left"> Note that VeraCrypt never modifies the keyfile contents. You can select more than one keyfile; the order does not matter. You can also let VeraCrypt generate a file with random content and use it as a keyfile. To do so, select <em style="text-align:left">Tools > Keyfile Generator</em>.</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> Note: Keyfiles are currently not supported for system encryption.</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> WARNING: If you lose a keyfile or if any bit of its first 1024 kilobytes changes, it will be impossible to mount volumes that use the keyfile!</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> <em style="text-align:left"><strong style="text-align:left">WARNING: If password caching is enabled, the password cache also contains the processed contents of keyfiles used to successfully mount a volume. Then it is possible to remount the volume even if the keyfile is not available/accessible.</strong> To prevent this, click '</em>Wipe Cache<em style="text-align:left">' or disable password caching (for more information, please see the subsection </em>'Settings -> Preferences'<em style="text-align:left">, item </em>'Cache passwords in driver memory'<em style="text-align:left"> in the section </em><a href="Program%20Menu.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Program Menu</a>).</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> See also the section <a href="Choosing%20Passwords%20and%20Keyfiles.html" style="text-align:left; color:#0080c0; text-decoration:none.html"> Choosing Passwords and Keyfiles</a> in the chapter <a href="Security%20Requirements%20and%20Precautions.html" style="text-align:left; color:#0080c0; text-decoration:none.html"> Security Requirements and Precautions</a>.</div> <p> </p> <h3 style="text-align:left; font-family:Arial,Helvetica,Verdana,sans-serif; font-weight:bold; margin-top:0px; font-size:13px; margin-bottom:4px"> Keyfiles Dialog Window</h3> @@ -97,40 +96,59 @@ In order to allow VeraCrypt to access a security token or smart card, you need t website of the vendor or other third parties.</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> If your security token or smart card does not contain any file (data object) that you could use as a VeraCrypt keyfile, you can use VeraCrypt to import any file to the token or smart card (if it is supported by the device). To do so, follow these steps:</div> <ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> <li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px"> In the keyfile dialog window, click <em style="text-align:left">Add Token Files</em>. </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px"> If the token or smart card is protected by a PIN, password, or other means (such as a fingerprint reader), authenticate yourself (for example, by entering the PIN using a hardware PIN pad). </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px"> The 'Security Token Keyfile' dialog window should appear. In it, click <em style="text-align:left"> Import Keyfile to Token</em> and then select the file you want to import to the token or smart card. </li></ol> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> Note that you can import for example 512-bit keyfiles with random content generated by VeraCrypt (see <em style="text-align:left">Tools > Keyfile Generator</em> below).</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> To close all opened security token sessions, either select <em style="text-align:left"> Tools</em> > <em style="text-align:left">Close All Security Token Sessions</em> or define and use a hotkey combination (<em style="text-align:left">Settings</em> > <em style="text-align:left">Hot Keys > Close All Security Token Sessions</em>).</div> <p> </p> +<h3 id="SmartCard" style="text-align:left; font-family:Arial,Helvetica,Verdana,sans-serif; font-weight:bold; margin-top:0px; font-size:13px; margin-bottom:4px"> +EMV Smart Cards</h3> +<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> +Windows and Linux versions of VeraCrypt can use directly as keyfiles data extracted from EMV compliant smart cards, supporting Visa, Mastecard or Maestro applications. As with PKCS-11 compliant smart cards, to use such data as VeraCrypt keyfiles, +click <em style="text-align:left">Add Token Files</em> (in the keyfile dialog window). The last four digits of the card's Primary Account Number will be displayed, allowing the selection of the card as a keyfile source. +<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> +The data extracted and concatenated into a single keyfile are as follow : ICC Public Key Certificate, Issuer Public Key Certificate and Card Production Life +Cycle (CPLC) data. They are respectively identified by the tags '9F46', '90' and '9F7F' in the card's data management system. These two certificates are specific to an application deployed on the EMV card and used for the Dynamic Data Authentication of the card +during banking transactions. CPLC data are specific to the card and not to any of its applications. They contain information on the production process of the smart card. Therefore both certificates and data are unique and static on any EMV compliant smart card.</div> +<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> +According to the ISO/IEC 7816 standard on which the EMV standard is based, communication with an EMV smart card is done through structured commands called APDUs, allowing to extract the data from the smart card. These data are encoded in the BER-TLV format, +defined by the ASN.1 standard, and therefore need to be parsed before being concatenated into a keyfile. No PIN is required to access and retrieve data from the card. To cope with the diversity of smart cards readers on the market, librairies compliant with the Microsoft Personal +Computer/Smart Card communication standard are used. The Winscard library is used. Natively available on Windows in System32, it then doesn't require any installation on this operating system. However, the libpcsclite1 package has to be installed on Linux.</div> +<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> +Since the card is read-only, it is not possible to import or delete data. However, data used as keyfiles can be exported locally in any binary file. During the entire cryptographic process of mounting or creating a volume, the certificates and CPLC data are never stored anywhere +other than in the user's machine RAM. Once the process is complete, these RAM memory areas are rigorously erased.</div> +<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> +It important to note that this feature is optional and disabled by default. It can be enabled in the <em style="text-align:left">Security Token Preferences</em> parameters by checking the box provided.</div> +<p> </p> <h3 style="text-align:left; font-family:Arial,Helvetica,Verdana,sans-serif; font-weight:bold; margin-top:0px; font-size:13px; margin-bottom:4px"> Keyfile Search Path</h3> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> By adding a folder in the keyfile dialog window (click <em style="text-align:left"> Add Path</em>), you specify a <em style="text-align:left">keyfile search path</em>. All files found in the keyfile search path* will be used as keyfiles except files that have the Hidden file attribute set.</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> <strong style="text-align:left"><em style="text-align:left">Important: Note that folders (and files they contain) and hidden files found in a keyfile search path are ignored.</em></strong></div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> Keyfile search paths are especially useful if you, for example, store keyfiles on a USB memory stick that you carry with you. You can set the drive letter of the USB memory stick as a default keyfile search path. To do so, select <em style="text-align:left">Settings </em>-> <em style="text-align:left">Default Keyfiles</em>. Then click <br style="text-align:left"> <em style="text-align:left">Add Path</em>, browse to the drive letter assigned to the USB memory stick, and click <em style="text-align:left">OK</em>. Now each time you mount a volume (and if the option <em style="text-align:left">Use keyfiles</em> is checked in the password dialog window), VeraCrypt will scan the path and use all files that it finds on the USB memory stick as keyfiles.</div> <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px"> <strong style="text-align:left"><em style="text-align:left">WARNING: When you add a folder (as opposed to a file) to the list of keyfiles, only the path is remembered, not the filenames! This means e.g. that if you create a new file in the folder or if you copy an additional file to the folder, then all volumes that used keyfiles from the folder will be impossible to mount (until you remove the newly added file from the folder). </em></strong></div> <p> </p> <h3 style="text-align:left; font-family:Arial,Helvetica,Verdana,sans-serif; font-weight:bold; margin-top:0px; font-size:13px; margin-bottom:4px"> |