How to create a veracrypt volume on the command line not interactively with a keyfile stored on a PKCS#11 token

Question

I am trying to create a new veracrypt container on the command line in a completely interactive fashion. To make things more complicated, I need to store a keyfile on a PKCS#11 token.

From what I understood, I first need to import the keyfile to the token before creating the volume. I have tried the commands

veracrypt --text --import-token-keyfiles --token-lib=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so  --new-keyfiles=/tmp/keyfile.dat

and

veracrypt --text --import-token-keyfiles --token-lib=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so  --keyfiles=/tmp/keyfile.dat

But both commands interactively ask for the keyfile

Enter keyfile [none]:

mat · Accepted Answer · 2019-09-17T06:50:29.850

After looking at the source code of Veracrypt, it appears that what I'm trying to achieve is unfortunately not possible.

void TextUserInterface::ImportSecurityTokenKeyfiles () const
    {
[...]
        shared_ptr <KeyfileList> keyfiles = AskKeyfiles();
[...]

The relevant function just asks for the keyfile interactively withous heeding command line switches.

As a ugly workaround, I found that this command works:

echo "/tmp/keyfile.dat\n"|veracrypt --text --import-token-keyfiles --token-lib=/usr/lib/mypkcs11lib.so --token-pin=123456

How to create a veracrypt volume on the command line not interactively with a keyfile stored on a PKCS#11 token

1 Answers1