You do not have to use keyfiles. However, using keyfiles has some advantages:
Note: Keyfiles are currently not supported for system encryption.
WARNING: If you lose a keyfile or if any bit of its first 1024 kilobytes changes, it will be impossible to mount volumes that use the keyfile!
If you want to use keyfiles (i.e. "apply" them) when creating or mounting volumes, or changing passwords, look for the 'Use keyfiles' option and the
Keyfiles button below a password input field.
These control elements appear in various dialog windows and always have the same functions. Check the
Use keyfiles option and click
Keyfiles. The keyfile dialog window should appear where you can specify keyfiles (to do so, click
Add Files or Add Token Files) or keyfile search paths (click
Add Path).
VeraCrypt can directly use keyfiles stored on a security token or smart card that complies with the PKCS #11 (2.0 or later) standard [23] and that allows the user to store a file (data object) on the token/card. To use such files as VeraCrypt keyfiles,
click Add Token Files (in the keyfile dialog window).
Access to a keyfile stored on a security token or smart card is typically protected by PIN codes, which can be entered either using a hardware PIN pad or via the VeraCrypt GUI. It can also be protected by other means, such as fingerprint readers.
In order to allow VeraCrypt to access a security token or smart card, you need to install a PKCS #11 (2.0 or later) software library for the token or smart card first. Such a library may be supplied with the device or it may be available for download from the
website of the vendor or other third parties.
If your security token or smart card does not contain any file (data object) that you could use as a VeraCrypt keyfile, you can use VeraCrypt to import any file to the token or smart card (if it is supported by the device). To do so, follow these steps:
Note that you can import for example 512-bit keyfiles with random content generated by VeraCrypt (see
Tools > Keyfile Generator below).
Windows and Linux versions of VeraCrypt can use directly as keyfiles data extracted from EMV compliant smart cards, supporting Visa, Mastecard or Maestro applications. As with PKCS-11 compliant smart cards, to use such data as VeraCrypt keyfiles,
click
Add Token Files (in the keyfile dialog window). The last four digits of the card's Primary Account Number will be displayed, allowing the selection of the card as a keyfile source.
The data extracted and concatenated into a single keyfile are as follow : ICC Public Key Certificate, Issuer Public Key Certificate and Card Production Life
Cycle (CPLC) data. They are respectively identified by the tags '9F46', '90' and '9F7F' in the card's data management system. These two certificates are specific to an application deployed on the EMV card and used for the Dynamic Data Authentication of the card
during banking transactions. CPLC data are specific to the card and not to any of its applications. They contain information on the production process of the smart card. Therefore both certificates and data are unique and static on any EMV compliant smart card.
According to the ISO/IEC 7816 standard on which the EMV standard is based, communication with an EMV smart card is done through structured commands called APDUs, allowing to extract the data from the smart card. These data are encoded in the BER-TLV format,
defined by the ASN.1 standard, and therefore need to be parsed before being concatenated into a keyfile. No PIN is required to access and retrieve data from the card. To cope with the diversity of smart cards readers on the market, librairies compliant with the Microsoft Personal
Computer/Smart Card communication standard are used. The Winscard library is used. Natively available on Windows in System32, it then doesn't require any installation on this operating system. However, the libpcsclite1 package has to be installed on Linux.
Since the card is read-only, it is not possible to import or delete data. However, data used as keyfiles can be exported locally in any binary file. During the entire cryptographic process of mounting or creating a volume, the certificates and CPLC data are never stored anywhere
other than in the user's machine RAM. Once the process is complete, these RAM memory areas are rigorously erased.
It important to note that this feature is optional and disabled by default. It can be enabled in the Security Token Preferences parameters by checking the box provided.
Keyfile Search Path
By adding a folder in the keyfile dialog window (click
Add Path), you specify a keyfile search path. All files found in the keyfile search path* will be used as keyfiles except files that have the Hidden file attribute set.
Important: Note that folders (and files they contain) and hidden files found in a keyfile search path are ignored.
Keyfile search paths are especially useful if you, for example, store keyfiles on a USB memory stick that you carry with you. You can set the drive letter of the USB memory stick as a default keyfile search path. To do so, select
Settings -> Default Keyfiles. Then click
Add Path, browse to the drive letter assigned to the USB memory stick, and click
OK. Now each time you mount a volume (and if the option
Use keyfiles is checked in the password dialog window), VeraCrypt will scan the path and use all files that it finds on the USB memory stick as keyfiles.
WARNING: When you add a folder (as opposed to a file) to the list of keyfiles, only the path is remembered, not the filenames! This means e.g. that if you create a new file in the folder or if you
copy an additional file to the folder, then all volumes that used keyfiles from the folder will be impossible to mount (until you remove the newly added file from the folder).
Empty Password & Keyfile
When a keyfile is used, the password may be empty, so the keyfile may become the only item necessary to mount the volume (which we do not recommend). If default keyfiles are set and enabled when mounting a volume, then before prompting for a password, VeraCrypt
first automatically attempts to mount using an empty password plus default keyfiles (however, this does not apply to the 'Auto-Mount Devices' function). If you need to set Mount Options (e.g., mount as read-only, protect hidden
volume etc.) for a volume being mounted this way, hold down the
Control (Ctrl) key while clicking
Mount (or select Mount with Options from the
Volumes menu). This will open the
Mount Options dialog.
Quick Selection
Keyfiles and keyfile search paths can be quickly selected in the following ways:
-
Right-click the Keyfiles button in the password entry dialog window and select one of the menu items.
-
Drag the corresponding file/folder icons to the keyfile dialog window or to the password entry dialog.
Volumes -> Add/Remove Keyfiles to/from Volume
This function allows you to re-encrypt a volume header with a header encryption key derived from any number of keyfiles (with or without a password), or no keyfiles at all. Thus, a volume which is possible to mount using only a password can be converted to
a volume that require keyfiles (in addition to the password) in order to be possible to mount. Note that the volume header contains the master encryption key with which the volume is encrypted. Therefore, the data stored on the volume will
not be lost after you use this function.
This function can also be used to change/set volume keyfiles (i.e., to remove some or all keyfiles, and to apply new ones).
Remark: This function is internally equal to the Password Change function.
When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten 256 times with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy [17] to recover
the overwritten header (however, see also the chapter
Security Requirements and Precautions).
Volumes -> Remove All Keyfiles from Volume
This function allows you to re-encrypt a volume header with a header encryption key derived from a password and no keyfiles (so that it can be mounted using only a password, without any keyfiles). Note that the volume header contains the master encryption key
with which the volume is encrypted. Therefore, the data stored on the volume will
not be lost after you use this function.
Remark: This function is internally equal to the Password Change function.
When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten 256 times with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy [17] to recover
the overwritten header (however, see also the chapter
Security Requirements and Precautions).
Tools > Keyfile Generator
You can use this function to generate a file or more with random content, which you can use as a keyfile(s) (recommended). This function uses the VeraCrypt Random Number Generator. Note that, by default, only one key file is generated and the resulting file
size is 64 bytes (i.e., 512 bits), which is also the maximum possible VeraCrypt password length. It is also possible to generate multiple files and specify their size (either a fixed value for all of them or let VeraCrypt choose file sizes randomly). In all
cases, the file size must be comprised between 64 bytes and 1048576 bytes (which is equal to 1MB, the maximum number of a key file bytes processed by VeraCrypt).
Settings -> Default Keyfiles
Use this function to set default keyfiles and/or default keyfile search paths. This function is particularly useful if you, for example, store keyfiles on a USB memory stick that you carry with you. You can add its drive letter to the default keyfile configuration.
To do so, click
Add Path, browse to the drive letter assigned to the USB memory stick, and click
OK. Now each time you mount a volume (and if
Use keyfiles is checked in the password dialog), VeraCrypt will scan the path and use all files that it finds there as keyfiles.
WARNING: When you add a folder (as opposed to a file) to your default keyfile list, only the path is remembered, not the filenames! This means e.g. that if you create a new file in the folder or if
you copy an additional file to the folder, then all volumes that used keyfiles from the folder will be impossible to mount (until you remove the newly added file from the folder).
IMPORTANT: Note that when you set default keyfiles and/or default keyfile search paths, the filenames and paths are saved unencrypted in the file
Default Keyfiles.xml
. For more information, please see the chapter
VeraCrypt System Files & Application Data.
* Found at the time when you are mounting the volume, changing its password, or performing any other operation that involves re-encryption of the volume header.
** However, if you use an MP3 file as a keyfile, you must ensure that no program modifies the ID3 tags within the MP3 file (e.g. song title, name of artist, etc.). Otherwise, it will be impossible to mount volumes that use the keyfile.