TrueCrypt Yubikey Security

TL;DR

This guide shows how to securely use TrueCrypt (or VeraCrypt) with a YubiKey for stronger password protection and two-factor authentication. It covers setup, usage, recovery options, and important security considerations.

Setting up TrueCrypt/VeraCrypt with YubiKey

1. Install Required Software: Ensure you have the latest version of VeraCrypt (recommended over TrueCrypt due to ongoing maintenance) installed. Also, install the YubiKey Personalization Tool and the appropriate drivers for your operating system from Yubico’s website.
2. Configure VeraCrypt: Open VeraCrypt and create a new volume (or use an existing one). During the volume creation process, choose “Normal” encryption.
3. Password Options: When prompted for passwords, select the option to use keyfiles *in addition* to your password. This is where the YubiKey comes in.
4. Add YubiKey as Keyfile: Click “Add Keyfiles…” and browse to your YubiKey device. VeraCrypt will detect it as a removable storage device. Select the slot you want to use (Slot 1 is common). You’ll need to insert your YubiKey when prompted.
5. Multiple Keyfiles: It’s highly recommended to add *multiple* keyfiles, including at least one on your YubiKey and a strong password. This provides redundancy in case of loss or failure of any single factor. Consider adding another USB drive as a keyfile too.

Using Your Volume

1. Mounting the Volume: When mounting your volume, VeraCrypt will first ask for your password. Then, it will prompt you to insert your YubiKey (if required by your configuration). The YubiKey must be present during the entire mount process.
2. YubiKey Tap: Depending on how you configured your YubiKey, you may need to tap it when prompted to authorize access.

Recovery Options

1. Backup Keyfiles: Crucially, create secure backups of all keyfiles (including any files on USB drives). Store these backups in separate, physically secure locations. Losing all keyfiles means permanent data loss.
2. Password Recovery: If you forget your password but have access to your YubiKey and other keyfiles, you can still mount the volume.
3. YubiKey Loss/Failure: If you lose or damage your YubiKey, you *must* use one of your other keyfiles (password or another USB drive) to mount the volume. This is why backups are so important.

Security Considerations

• PIN Protection: Set a strong PIN on your YubiKey using the YubiKey Personalization Tool. This adds an extra layer of security if your YubiKey is lost or stolen.
• Slot Management: Be mindful of which slots you use on your YubiKey. Avoid reusing slots for different purposes.
• Keyfile Security: Protect your keyfiles as carefully as you protect your password. Do not store them in easily accessible locations.
• Malware Protection: Ensure your system is free of malware, as it could potentially steal your password or keyfiles. Use a reputable antivirus program and keep it updated.
• VeraCrypt Updates: Regularly update VeraCrypt to benefit from the latest security patches and improvements.

Advanced Configuration (Optional)

1. Hidden Volumes: Consider using hidden volumes within your VeraCrypt container for deniable encryption. This adds an extra layer of protection against coercion.
2. Two-Factor Authentication with HOTP/TOTP: While more complex, you can configure VeraCrypt to use a YubiKey for Time-based One-Time Password (TOTP) authentication in addition to keyfiles. Refer to the VeraCrypt documentation for detailed instructions.