Help need to use truecryt + openpgp applet.

Matthias-Christian Ott ott at
Thu Feb 19 21:16:43 CET 2015

On 2015-02-19 19:50, Thomas Harning Jr. wrote:
> On Thu Feb 19 2015 at 12:23:34 PM Matthias-Christian Ott <ott at>
> wrote:
>> On 2015-02-19 09:23, Ranjini H.K wrote:
>>> Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet.
>>> What should i do othercase To make my OpenPGP applet support PKCS#11.
>> Your Java Card does probably not support PKCS #11. An applet on the card
>> might implement it. To make it work, you need a PKCS #11 middleware and
>> tell TrueCrypt about it (Settings > Security Tokens... > PKCS #11
>> Library Path). If you are using an applet that is supported by OpenSC,
>> you can use OpenSC. Otherwise you have to resort to the proprietary
>> middleware supplied by the vendor. OpenPGP cards should be supported by
>> OpenSC and should be usable with TrueCrypt [1]. There is also a
>> proprietary PKCS #11 library that should provide a PKCS #11 interface
>> for OpenPGP cards [2]. Otherwise you can try Scute [3].
>> That said, it is probably better to ask on the OpenSC mailing list [4]
>> about PKCS #11.
>> The Java Card OpenPGP applet seems to be maintained by Yubico at the
>> moment [5].
>> Regards,
>> Matthias-Christian
>> [1]
>> [2]
>> [3]
>> [4]
>> [5]
> The main issue is that TrueCrypt does not generate a key on-card, but
> instead it stores pin-protected data which it reads out when it needs to
> unlock the disk.
> OpenPGP cards, if I recall right, have no capability to store arbitrary
> data.

You could store it in the private use data objects (0103, 0104). I look
at both TrueCrypt's and OpenSC's source code. TrueCrypt uses PKCS #11 to
find all private object with a matching label. OpenSC's PKCS #11
implementation in turn uses its PKCS #15 implementation to store
objects. OpenSC's PKCS #15 driver for OpenPGP cards in turn does not
handle data objects even if the card could store them. It doesn't look
too difficult to implement this feature. Perhaps somebody will do it for
you if ask on the OpenSC mailing list.

Scute supports certificates only as well.

> Perhaps you can file a feature-request against VeraCrypt (the "current"
> TrueCrypt project) to implement a mechanism where the master key (or subkey
> of sorts) is encrypted with a key stored on-card.

I think this is impossible TrueCrypt derives keys from the password and
then decrypts the header of the volume. There is no space to store
encrypted key material.


More information about the Gnupg-users mailing list