PKCS#11 as storage for keyfiles

Question

In the past I used a SmartCard to store a randomly generated keyfile, which was used by TrueCrypt to open its volume. TrueCrypt used PKCS#11 to read the SmartCard and access the keyfile.

Now I'd like to do something similar, with EncFS. I wanted to store its xml config in a SmartCard. EncFS xml config has 1KB, so it fits, I can even store a few different config files in one SmartCard.

But EncFS doesn't support PKCS#11, as long as I was able to search for it. So, my idea would be to use the SmartCard as a very small and secure storage pendrive. Its readonly content would be mounted as a normal Windows drive letter, and EncFS would read its files.

Any idea how to achieve that?

Answer 1

This is a very interesting task. PKCS#11 devices usually are capable of holding generic BLOBs, although the size of those blobs is severely limited (usually a few hundred bytes). BLOBs have short text labels, so you can treat them as files.

I know that this task can be accomplished fully user mode with our products (SecureBlackbox for PKCS#11 access and Callback File System to create a virtual drive) and maybe you will alternative options as well. I don't think you'd be able to access PKCS#11 from the pure kernel-mode driver because most PKCS#11 "drivers" are user-mode DLLs.

The only problem with this approach is that common PKCS#11 devices (smartcards, USB tokens) are very slow AND also they require that you login before providing any information.

Another possible problem is when exactly this file is needed to EncFS. If it's to be read after you login, that's ok. But if the file is to be read during system boot, then the task would become much more complicated (if possible at all -- that depends on what exactly stage of system booting the file is read by EncFS).