gpg keys on USB drive
Steve Clement
steve at localhost.lu
Sun Jun 19 13:00:31 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jun 18, 2011, at 3:23 AM, Robert Simmons wrote:
> I have been reading up on keeping encryption secret keys on a USB thumb drive
> so that there is an "air gap" so to speak except when the drive is inserted in
> the machine and mounted.
Good idea, just make sure you have a "Backup" of your Thumb Drive.
I usually have 2 thumb-drives that sync between each other but I also do an encrypted on-disk Backup.
USB Sticks tend to break rather fast and that jeopardizes your valuable keys.
>
> Is it possible to replace all the files in my home directory with symbolic
> links to the corresponding files in the USB drive? This seems easy, but how
> can I be sure in FreeBSD that the symlinks will always work when the drive is
> plugged in? I have noticed that the device is sometimes different depending on
> what other USB devices are plugged in and where they are plugged in.
>
The symlinks defo work for gpg/mutt/firefox/thunderbird etc...
I have a rather old mock-up to achieve what you want to achieve:
http://localhost.lu:8081/GeneralProtection
> Also, other than the obvious drawback of needing to remember where the drive
> is, and plug it in, are there any drawbacks to keeping keysets such as for
> OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive?
>
I think loosing the key is the biggest drawback. So better be sure to not be messy :)
Also bare in mind that your Rootkit does scan for removable media so it's no real protection against that kind of attack.
> Lastly, using geli to create a passphrase based encrypted provider ON the USB
> drive before storing everything on there would increase its security, no?
Maybe, see drawbacks.
cheers,
- --
Steve Clement
https://www.twitter.com/SteveClement
mailto:steve at localhost.lu
.lu: +352 20 333 55 65
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJN/e7eAAoJEGmiD1Cb5K7pr7MQAOO19F/NNybpmN42UcijpK2y
rjrdbaosRAwqXu7eoXAT7wimCWYO0q9+EuIUQuancZXx7mQLChsNo+HXNfROVyfW
FpUZjtqBGahoqfnfep22wdhkkbqqKKMlhHr6o9EGeEWxA6rjfXPuZ9um3pAV7xMT
5V3Ag4RvTRIRI8E5+hQ+FrgL041mBfLxsTJ4rzH/EmNxCQT1l9zcpt5AwdOuuVbJ
JB6J8qsutAyOYfsawr0+rDBk/eqE8BejWTGKMZFi7j+3wJEdotR2nG3VgNdTRAB8
AAFsg0wm7ldDAkTteZa+9xumyIqozFYucKeW0aL/8munaBKNzEKiSicTwTdpt4zS
jUqkEVd5EZb75zgCkiCdBlKNDsgk89Ux0VgX5ibHXf3TmNeyVmZAlPjtTS2KaLmq
AiGu/rQnesB/+VxEojWq2Dvf2uEy6lhzXrGPJCgJD/6yZD9vM64IQyGmv55qs+pv
EXVWtDAsboBRS2xwFw18XTRV5NKp+HFnfRF1sLT6dZ6duFBTzN1F1h4DiO8daQba
aCvlLkYnBp1xjdlxeoMyUH9z4FRul2WEYc3B3AKHjSJrRNAt3Vfn7P3rb/GMBJ5n
b988UA2einERYA1GFmoalDbdoYAYBa6Sd1DOiHc4VnmQNhR8sCoLs74dFsn/eUIY
NQ91jMIOoIpUMkGrC8wS
=kQZL
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list