This procedure and script is for managing an encrypted veracrypt filesystem with a yubikey NFC 5 device. In this way you can mount and dismount the filesystem only with the yubikey connected in which you previously wrote a GPG key. After setting up, just connect the key and launch the script, you will get immediately your filesystem mounted.
The encrypted filesystem is very important for many purposes: holding bitcoin wallet file, storing very important sensitive data, etc. For example in case you have a bitcoin wallet, it's very important that your wallet file is held into an encrypted filesystem for privacy. It contains infact for example your addresses, your labels, and so on. So it's important even if the wallet is read-only. Always use an encrypted filesystem for storing key informations. Never leave sensitive informations on a filesystem without encryption because your security and privacy is otherwise at risk.
With the strategy here described you can achieve the maximum security because the system is based on an external device and not on a password to keep in mind or written somewhere, which is a unsecure way to do.
What is needed:
- Ubuntu whatever flavor, tested on lubuntu 19.04
- veracrypt filesystem encryption software
- yubikey 5 NFC device
- pass
- GPG2
- simple mount and dismount script provided
Install all the software you need, by running the micro-script
./dependenciesObviously veracrypt software must be also installed. Please refer to: https://www.veracrypt.fr/en/Downloads.html
Generate a new GPG 4096 RSA key to use for credentials encryption
gpg --full-generate-key
gpg --edit-key --expert <your_email@key_identifier>
addkey
#choose (4) RSA (sign only)
#choose 4096
#answer questions
saveBackup your private key somewhere safe, by running the provided micro-script
./keysbackupPrepare your yubikey to accept the RSA 4096 private key you just generated with GPG
gpg --card-edit
admin
key-attr
#change length to 4096 and exitMove the key to yubikey device
gpg --edit-key AF6FCExxxxxx
gpg> key 1
gpg> keytocard
gpg> <pick the right slot>
gpg> <repeat for the other keys>
gpg> saveConfigure your pass software in order to use the GPG key (inside yubikey) for passwords encryption. This is a key step
pass init "GPG-ID-HERE"Now you are ready to store keyfile content into pass
- store your keyfile content and password inside pass in location you prefer
- configure constants in the script to match pass location you wrote keyfile and password on pass, both on mount and dismount
- launch the script and test
NB: It's suggested to set a password and a keyfile content in such a way you have a procedure to recover. For example you can use a words-map like bitcoin BIP39 or some other mechanism like that. Backup should be always on an offline paper.
we talk about these topics on this youtube channel: http://www.youtube.com/c/MassimoSMusumeci and also at the telegram group: https://t.me/BitcoinSecPriv . Please refer also to resources published on the website https://www.massmux.com for more infos or contact me massimo (at) denali.swiss or go (at) massmux.com