Security Token/Smartcard Support

This section applies to the PC version of FreeOTFE only

FreeOTFE supports all security tokens/smartcards (referred to as "tokens" in this documentation) which conform to the PKCS#11 (aka Cryptoki) standard, providing two factor authentication of FreeOTFE volumes.

There are two ways in which tokens can be used:

1. As a secure keyfile store
2. To add an additional level of encryption to keyfiles/volumes

In both cases case, the token's password (typically called a "PIN" - although not limited to numbers) is required in order for the token to be used.

These two methods can be used independently, or combined together.

• Initial configuration
• Secure Keyfile Store
• Token Encryption
• PIN Entry

In order to use tokens, FreeOTFE must first be configured to use the appropriate PKCS#11 library:

1. Go to "View | Options..."
2. Select the "PKCS#11" tab
3. Check the "Enable PKCS#11 support" checkbox
4. The filename of the PKCS#11 library you wish to use (see table below). Note: In most cases you shouldn't need to enter the full path to the DLL, just its filename.
5. Click "Verify" to run a quick sanity check to ensure that the library looks viable
6. Set "Save above settings to" be (for example) "FreeOTFE executable dir"
7. Click "OK"

Options dialog; PKCS#11 tab

The menuitem under the "Tools" menu should then be enabled, as should the options (when appropriate) on the password entry dialog when mounting FreeOTFE volumes

A list of driver library names supplied by common manufacturers may be found at Appendix E: PKCS#11 Driver Libraries

Keyfiles may be stored on tokens in a similar fashion to which they can be stored on (for example) a USB flash drive. However, unlike storing a keyfile on a USB flash drive, those stored on a token require the token's PIN to be entered before they can be accessed.

Usage

To add a keyfile to your token:

1. Create a keyfile for your volume as per normal
2. Plug in/insert your token
3. Go to "Tools | PKCS#11 Token management..."
4. Enter your token's PIN and click "OK"
5. The token management dialog should be displayed; select the "Keyfiles" tab
6. Click "Import..."
7. Select the keyfile previously created and click "OK".

To use a keyfile stored on a token:

1. Follow the normal procedure for mounting your FreeOTFE volume
2. When shown the password prompt, select "PKCS#11" as the keyfile option; you will then be prompted to authenticate yourself to the token
3. Enter your token's PIN and click "OK"
4. Select the keyfile stored on your token, and proceed as normal by entering your keyfile's password, etc and clicking "OK" to mount

PKCS#11 tokens can also be used to add a further level of encryption to volumes, by using the token to encrypt the volume's CDB and/or keyfile(s).

The keys ("secret keys") used for this encryption are automatically generated by a token and can never be duplicated, extracted or in any way copied from the token, even if the token's PIN is known. All encryption/decryption operations used to secure a keyfile/volume CDB are carried out by the token itself.

This mechanism therefore provides a means of "tying" a volume/keyfile to a physical token; preventing it from being mounted unless the token is present and its PIN is known.

It should be noted however, that since it is inherent that no backups of the secret keys stored on a token can be made, the loss of the token will result in the loss of all data stored on the volume it protects, unless a separate means of accessing the volume (e.g. a keyfile which isn't secured by the same PKCS#11 token) is available.

Usage

To encrypt a volume's CDB/keyfile:

1. Plug in/insert your token
2. Go to "Tools | PKCS#11 Token management..."
3. Enter your token's PIN and click "OK"
4. The token management dialog should be displayed; select the "Secret keys" tab
5. Click "New..."
6. Enter a meaningful name of the token, and select the cypher to be used for the encryption
   It should be noted that the range of cyphers available for use is determined by the capabilities of your token, and not FreeOTFE
7. Click "OK" and the new key will be created
8. Select the secret key to be used to encrypt your volume CDB/keyfile.
9. Click "Secure..."
10. In the dialog shown, specify the volume/keyfile to be encrypted. If you are trying to secure a hidden volume, enter the host volume's filename/partition.
11. Leave the "offset" field set to zero, unless you are trying to secure a hidden volume - in which case this should be set to the offset where the hidden volume may be found.
12. Click "OK".

• More than one secret key can be stored on a single token; however they must all have different names.
• The same secret key can be used to encrypt more than one volume CDB/keyfile.

To use a volume/keyfile which has been double-encrypted by a token:

1. Follow the normal procedure for mounting your FreeOTFE volume
2. When shown the password prompt, click the "Advanced >>" button to display the "Advanced security details" options
3. Enter your token's PIN and click "OK"
4. Select the secret key used to secure your volume/keyfile, and proceed as normal by entering your volume/keyfile's password, etc and clicking "OK" to mount

FreeOTFE will only prompt you to enter your token's PIN as and when it's needed. FreeOTFE does not cache your PIN in any way

PKCS#11 PIN entry

The PIN entry prompt will display a list of all tokens found on your system, showing the slot number the token is inserted in, and the token's label. If you have not yet inserted your token, do so and click "Refresh" to refresh the list.

If only one token is found, it will be selected automatically, and the token selection control will be disabled. Otherwise, select the token you wish to use, enter your PIN, and click "OK" to continue.

Secure authentication path

If your token hardware features a secure authentication path (e.g. a smartcard reader with PIN entry keypad), you can take advantage of it by selecting the "Use secure authentication path" checkbox when FreeOTFE prompts for the token's PIN.