BestCrypt Volume Encryption 5

Starting with version 5 of the BestCrypt Volume Encryption software it is possible to use any smart card or crypto token (Integrated Circuit Card or ICC) that satisfies the following requirements:

• Supported by OpenSC open-source project at the level of PKCS#15 standard
• The following requirements must met by the smart card reader to support bootable disk volumes (the smart card reader specification should contain the information):
• PC/SC v2 part 10 compatible
• USB device supporting CCID (Chip Card Interface Device) protocol
• card protocols T=1
• no multi-slot, composite CCID devices or PIN-pad support
• Token devices supported by earlier versions of BestCrypt Volume Encryption (SafeNet eToken Java 72k PRO, Yubico Yubikey v. 3,4 or 5)

BestCrypt Volume Encryption is able to utilize some ICC devices for not-bootable volumes when the device is not PKCS#15 compatible, but supports PKCS#11 standard (the standard defines a platform-independent API to cryptographic tokens).

At the same time it is critical for the ICC device to be PKCS#15 compatible when the user is going to encrypt bootable disk volume. It is necessary, because the pre-boot UEFI environment supports only PKCS#15 compatible devices.

Smart cards and tokens that have been tested so far

The following smart card readers were tested

Initializing the ICC devices by third-party software

When the user moves encryption key for encrypted disk volume to the ICC device, then password or PIN for the device should be entered to mount the volume. To initialize or change password for the ICC device in some cases the user should use the tools provided by the vendor of the device, or use the OpenSC software.

The following example illustrates how to run OpenSC to initialize the Rutoken ECP 2 device.

• Download OpenSC and install it
• Format the token by running it with command-line parameters:
  pkcs15-init --erase-card -p rutoken_ecp
•  

Set administrator PIN:
pkcs15-init --create-pkcs15 --so-pin "<administrtator_PIN>" --so-puk "<administrtator_PUK>"

• Set user PIN:
  pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin "<user_PIN>" --puk "<user_PUK>" --so-pin "<administrator_PIN>" --finalize

The following example demonstrates initialization of the Feitian epass2003 ICC.

• Erase card:
  pkcs15-init -E -T
• Initialize card:
  pkcs15-init -C -p pkcs15+onepin --pin <user_PIN> --puk <user_PUK>

Example of initializing Aventra MyEID 4.5 PKI card:

Steps to initialize the card:

• Erase card:
  pkcs15-init -E
• Initialize card:
  pkcs15-init -C --so-pin <administrator_PIN> --so-puk <administrator_PUK> --pin 1234 --puk 1234
• Set user PIN:
  pkcs15-init -P -a 1 -l "User PIN label" --pin <user_PIN> --puk <user_PUK>
• Finalize:
  pkcs15-init -F

Read more about Aventra card management on Aventra MyEID PKI card Web page.

Read more detailed information about managing Yubikey devices in the Technical Details about Managing Keys on Yubikeys article.

Software provided by the ICC device vendor

Vendor of the ICC device can provide software library implementing the PKCS#11 standard for the device. Such a software library usually comes as a file in format of Dynamic Link Library (DLL), for example, pkcs11_library_for_xxx_card.dll.

To make BestCrypt Volume Encryption supporting such a device, place the software library file to the folder where BestCrypt Volume Encryption is installed (like C:\Program Files (x86)\Jetico\BestCrypt Volume Encryption) and rename the file to opensc.dll.

Alternatively, change the Pkcs11DllPath string value in Registry key HKLM\Software\Jetico\BestCrypt Volume Encryption so that it would contain path to the pkcs11_library_for_xxx_card.dll file.

See also:

Main window

Encryption Keys on Hardware Token

Managing Keys on Hardware Token

Technical Details about Managing Keys on Yubikeys