2

In the past I used a SmartCard to store a randomly generated keyfile, which was used by TrueCrypt to open its volume. TrueCrypt used PKCS#11 to read the SmartCard and access the keyfile.

Now I'd like to do something similar, with EncFS. I wanted to store its xml config in a SmartCard. EncFS xml config has 1KB, so it fits, I can even store a few different config files in one SmartCard.

But EncFS doesn't support PKCS#11, as long as I was able to search for it. So, my idea would be to use the SmartCard as a very small and secure storage pendrive. Its readonly content would be mounted as a normal Windows drive letter, and EncFS would read its files.

Any idea how to achieve that?

vlp
  • 7,811
  • 2
  • 23
  • 51
Hikari
  • 3,797
  • 12
  • 47
  • 77

1 Answers1

1

This is a very interesting task. PKCS#11 devices usually are capable of holding generic BLOBs, although the size of those blobs is severely limited (usually a few hundred bytes). BLOBs have short text labels, so you can treat them as files.

I know that this task can be accomplished fully user mode with our products (SecureBlackbox for PKCS#11 access and Callback File System to create a virtual drive) and maybe you will alternative options as well. I don't think you'd be able to access PKCS#11 from the pure kernel-mode driver because most PKCS#11 "drivers" are user-mode DLLs.

The only problem with this approach is that common PKCS#11 devices (smartcards, USB tokens) are very slow AND also they require that you login before providing any information.

Another possible problem is when exactly this file is needed to EncFS. If it's to be read after you login, that's ok. But if the file is to be read during system boot, then the task would become much more complicated (if possible at all -- that depends on what exactly stage of system booting the file is read by EncFS).

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • I won't open EncFS automatically, there's no use have encrypted data opened all time. The process would be I attach the SmartCard, then an app access it over PKCS#11, SmartCard's driver/manager ask for PIN, and the app read its files. The tricky part is that this app would need to list the SmartCard contents, their labels, and mount a readonly virtual drive that would allow listing and reading these files as a standard file system. – Hikari Jan 20 '16 at 13:53
  • Once the drive is mounted, EncFSMP would read the config file, ask for its password, and mount the EncFS drive. Then the SmartCard drive would be unmounted and the keyfile would again be secure. – Hikari Jan 20 '16 at 13:56
  • EncFSMP doesn't allow setting the config file during mount. It must be set when the volume is discovered and the file must be available on the same place every time the volume is mounted. People recommend saving the config file on a USB drive, so I believe EncFSMP allows the file to vanish once the volume is mounted. – Hikari Jan 20 '16 at 13:58