I want to encrypt and decrypt a file system container file with luks and a smartcard on debian linux.
The smartcard is a Nitrokey Start which is basically a compact smartcard in a usb reader.
I know how to create and mount a container file with dd, cryptsetup and a key file. But I can't figure out how to use a smart card instead of a key file.
I read something about that this is not possible because you can't read the key from the smartcard.
So did I understand this right, I have to:
- create a container
- generate a key file
- use cryptsetup and the key file to encrypt the container
- use the smartcard to encrypt the key file
- delete the not encrypted key file
And every time I want to decrypt ant mount the container I have to:
- decrypt the key file with the smartcard
- decrypt the container with the decrypted key file
- delete the not encrypted key file
Is this correct?
Are there any better ways to achieve HDD (or file system container) encryption with a smartcard?
Note: I'm not bound to cryptsetup and luks, so if there are any better tools out there to achieve my goal, please tell me.
Best Answer
Looks like you can load external keys on to the Nitrokey with a GPG command called "keytocard"
There are many options for encrypted containers with VeraCrypt being the easiest to use.
Here is the official documentation for Nitrokey: https://www.nitrokey.com/documentation/applications#p:nitrokey-start&os:linux&a:hard-disk-encryption
If you already have a container that is encrypted with a key, just copy that one, test it and if it works from the Nitrokey just secure erase the copy on the HDD. Now the only copy left is on the key.
(You might want a backup)