Generate a TrueCrypt key and transfer to Security Token

TrueCrypt does not use the smarcard embedded crypto engine to generate a key.
You need to generate the key on computer and then transfer it to smartcard / security token.

Generate TrueCrypt key on computer

In the Tools menu, select Keyfile Generator:

Generate an SHA-512 key:

Save the key to your hard disc on computer.
You make use any file name and extension, for example key.txt.

Transfer TrueCrypt key to security token

In the Tools menu, select Manage Security Keyfiles:

Enter the PIN code of your smartcard:

Click the Import Keyfile to Token button:

Select the keyfile (key.txt in our case) and click OK.

Then choose a file name on smartcard:

After transfer, TrueCrypt is able to access the file on smartcard

Click the Validate button to finish the process.

Backup your keyfile

If the smartcard is damaged or lost, you will loose your key file.
At that point, you should backup your keyfile on a CD or DVD and keep it in a safe place.

After backup, you may consider erasing your keyfile from disc, as you no longer need it.
But you should always keep a backup.

Location of keyfile on smartcard

To understand how TrueCrypt handles keyfiles, let us dump the content of smartcard:

pkcs15-tool --dump

Using reader with a card: FT SCR310 00 00
PKCS#15 Card [GOOZE]:
Version : 0
Serial number : 0834493916261110
Manufacturer ID: EnterSafe
Last update : 20110116141618Z
Flags : EID compliant

PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:16, stored_len:16
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f005015

Reading data object <0>
applicationName: key
Label: key
applicationOID: NONE
Path: 3f0050153400
Auth ID: 01

The keyfile is saved as object data on smartcard. It means that is only protected by PIN code and can be exported. Therefore, you should always choose a long PIN and PUK code.

For security reasons, the object data cannot be erased or replaced on smartcard. This allows to make sure an attacker does not replace or remove information on your smartcard.

The only way to remove object data is to erase the whole card.

Also you should know that object data is usually limited to 32K per file.

Bookmark/Search this post with

Learn how to buy without VAT. Read our shipping policies. Validate your account using SMS to allow shipping small items at low price.

Feitian PKI: 12.90€

Buy the FEITIAN PKI card for only 12.90€. We ship to any European-Union country starting from 0.90 €. Learn more ...

Feitian ePass PKI token: 34.90€

Discover the best token for GNU/Linux, Mac OS X and Windows. Full support from OpenSC free software solutions, no proprietary driver needed.

PIN code security.
RSA keys up to 2048bit.
Standard X.509 v3 certificates.
On-board RSA DES 3DES SHA1.
Both PKCS#11 and MS-CAPI.
64K user space.
Compatible with: Iceweasel, Firefox, Evolution, Seahorse, OpenSSL, OpenSSH, PAM P11 and PAM PKCS11 authentication modules, Strongswan, Putty CAC, WinSCP, LoopAES, Truecrypt, etc...
Tested with online CAs like CaCert.org and StartSSL.

Buy the FEITIAN ePass PKI token for only 34.90€ ... 30 day satisfied or cash back.

Fast delivery
Order placed on GOOZE before 15:00 are shipped the same day. Orders placed after 15:00 are shipped next business day.

Apply for a free FEITIAN PKI card

GOOZE and FEITIAN are happy to donate 20 Feitian PKI cards to Free Software projects. If your project meets certain criteria, please apply for a free card.

Translating GOOZE

GOOZE is being translated into French. Thank you for your patience!