Hardware Token Encryption

TL;DR

This guide shows you how to use asymmetric crypto (like RSA) with a hardware token for secure encryption. We’ll cover generating keys, encrypting data, and decrypting it using the token.

1. Understand Asymmetric Crypto & Hardware Tokens

Asymmetric cryptography uses two keys: a public key for encryption and a private key for decryption. The private key must be kept secret. Hardware tokens (like YubiKeys or smartcards) are physical devices designed to securely store your private key, making it much harder for attackers to steal.

2. Choose Your Software & Token

Several options exist. Here’s a common setup:

• OpenSSL: A powerful command-line tool for crypto operations.
• GnuPG (GPG): Another popular option, often used with smartcards.
• Hardware Token: YubiKey is a widely supported choice. Ensure it supports the algorithms you need (RSA, ECC).

This guide focuses on OpenSSL as an example.

3. Generate Key Pair

You’ll generate a key pair where the private key is stored on your hardware token and the public key remains with you for sharing.

1. Connect Token: Plug in your YubiKey (or insert smartcard).
2. Use OpenSSL to Generate Key: The exact command depends on your token. For a YubiKey, you might use something like this (replace slot_number with the correct slot):

openssl genrsa -out private.pem 2048

This creates a standard RSA private key file.

4. Import Private Key to Token

Importing the key is token-specific. YubiKey Manager can be used for this, or you can use OpenSSL with PKCS#11 (the standard interface for hardware tokens).

1. Find your PKCS#11 library: This file tells OpenSSL how to talk to your token. It’s usually located in the YubiKey software directory (e.g., /usr/lib/pkcs11).
2. Import using OpenSSL:

openssl pkcs11 -module /usr/lib/pkcs11 -key private.pem -import -name my_token_key -label 'My Token Key'

Replace /usr/lib/pkcs11 with the correct path to your PKCS#11 library.

5. Encrypt Data

Now you can encrypt data using the public key.

1. Get Recipient’s Public Key: Obtain the public key of the person or system you want to send encrypted data to.
2. Encrypt with OpenSSL:

openssl rsautl -encrypt -inkey recipient_public.pem -pubin -in plaintext.txt -out ciphertext.enc

Replace recipient_public.pem with the actual public key file and plaintext.txt with your data.

6. Decrypt Data (Using Hardware Token)

The recipient decrypts using their private key stored on the hardware token.

1. Connect Token: Plug in the YubiKey containing the private key.
2. Decrypt with OpenSSL:

openssl rsautl -decrypt -inkey my_token_key -pkcs11module /usr/lib/pkcs11 -in ciphertext.enc -out decrypted.txt

Replace my_token_key with the name you gave the key when importing it, and /usr/lib/pkcs11 with your PKCS#11 library path.

7. Important Considerations

• Key Length: Use at least 2048-bit RSA keys for good security.
• Algorithm Choice: ECC (Elliptic Curve Cryptography) is often preferred over RSA due to its better performance and smaller key sizes, but ensure your token supports it.
• PKCS#11 Configuration: The PKCS#11 configuration can be complex. Refer to your token’s documentation for specific instructions.
• Backup: While the hardware token protects the private key, consider a secure backup strategy for other important data and configurations.