From owner-freebsd-security@FreeBSD.ORG Sun Jun 19 02:48:59 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FA8C1065674 for ; Sun, 19 Jun 2011 02:48:59 +0000 (UTC) (envelope-from cmdlnkid@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id CF0C68FC0A for ; Sun, 19 Jun 2011 02:48:58 +0000 (UTC) Received: by iwr19 with SMTP id 19so2991079iwr.13 for ; Sat, 18 Jun 2011 19:48:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to; bh=KsFTwIeQpPJkMZXoCTHrGJoeUYJa5vMgfw/y4t5HDeQ=; b=S0A8MBB9mdyyK9s0E47CB89K2iReNZlc2HTUxXw6JSmMm5g5FgvKZkQnm2gHtwFeIP 4Jxn+LI+5xSW4uj2QZCjnunMqJfd9QaRsMfb/ghIHsTHxaKXA/7hr6QZ8WLLWuhx4FtK 2zzBeMmaPF/ev86xX9GJj99Vb+pyEVHb/rT5w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; b=C+PgTUSL16wH2TP4zGm8DBtvOZbaqIi+VvQPIcJA7TZRA3EgOv612VhtXMSRjlIE+h E7o8qw1O9sblO7BneeVLi5GrSLmycih/M/Pi3v1z1fi/p9e4gOOPCD86Y324B25Gh1Ba JkckVcDEM8AVUtSRzgUHsUNsDAxumvGZjsZL0= Received: by 10.42.142.138 with SMTP id s10mr4361130icu.422.1308451738162; Sat, 18 Jun 2011 19:48:58 -0700 (PDT) Received: from DataIX.net ([108.73.113.243]) by mx.google.com with ESMTPS id v15sm2350255ibh.28.2011.06.18.19.48.57 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 18 Jun 2011 19:48:57 -0700 (PDT) Sender: The Command Line Kid Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p5J2mtsc011297 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 18 Jun 2011 22:48:55 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p5J2msSd011288; Sat, 18 Jun 2011 22:48:54 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sat, 18 Jun 2011 22:48:53 -0400 From: jhell To: Robert Simmons Message-ID: <20110619024853.GA2419@DataIX.net> References: <201106172123.44466.rsimmons0@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd" Content-Disposition: inline In-Reply-To: <201106172123.44466.rsimmons0@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: gpg keys on USB drive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 02:48:59 -0000 --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 17, 2011 at 09:23:43PM -0400, Robert Simmons wrote: > I have been reading up on keeping encryption secret keys on a USB thumb d= rive=20 > so that there is an "air gap" so to speak except when the drive is insert= ed in=20 > the machine and mounted. >=20 > Is it possible to replace all the files in my home directory with symboli= c=20 > links to the corresponding files in the USB drive? This seems easy, but = how=20 > can I be sure in FreeBSD that the symlinks will always work when the driv= e is=20 > plugged in? I have noticed that the device is sometimes different depend= ing on=20 > what other USB devices are plugged in and where they are plugged in. >=20 > Also, other than the obvious drawback of needing to remember where the dr= ive=20 > is, and plug it in, are there any drawbacks to keeping keysets such as fo= r=20 > OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive? >=20 > Lastly, using geli to create a passphrase based encrypted provider ON the= USB=20 > drive before storing everything on there would increase its security, no? Checkout /etc/devd.conf where you can match that USB device specifically with some entries and fire a script to perform whatever ``action'' neccesary to achieve the conditions that you have to meet. There should be sufficient examples in that file already that would give you a head start & clue of what to add. This might not be your best choice if your not comfortable with scripting though. --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJN/WOVAAoJEJBXh4mJ2FR+WAsH/A4WL9XDjzHgSeLuPOP1H2Tv EJd+xVX3YYYmxcxc5lPKImdtdqcg6u/kdKagWWH8jP/tcukfabOU3ii+ie0JQmiy 3RKK65svOfVABxsYpJ5HfS9AbQFbIQw/LPSLEhCwvVQZmLFgQtgi0ikhs0J/IZSc g9rGXn4HNVEadwECk1c46hZWtvzTUU64tCkHmx943+/EHugMv6BS6EAqJd33Dxe+ StIuy70ff1v9QVR0ML2atLkQC1ns4BndhFhujobISsqHe6CmLJBBTdOD2Nw3SOnY GXrx66NIWMEXbWW7zv0BLouoiGBRln+QseHBDxlgBrR6LKe1lDP5tEiDPegC6Pk= =DLrI -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd-- From owner-freebsd-security@FreeBSD.ORG Sun Jun 19 13:00:31 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D2B81065678 for ; Sun, 19 Jun 2011 13:00:31 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from zimbra.iongroup.lu (zimbra.iongroup.lu [80.90.47.181]) by mx1.freebsd.org (Postfix) with ESMTP id 467F48FC17 for ; Sun, 19 Jun 2011 13:00:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zimbra.iongroup.lu (Postfix) with ESMTP id C33CACDA004; Sun, 19 Jun 2011 14:46:22 +0200 (CEST) Received: from zimbra.iongroup.lu ([127.0.0.1]) by localhost (zimbra.iongroup.lu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RLOcWNshW0QN; Sun, 19 Jun 2011 14:46:20 +0200 (CEST) Received: from [192.168.1.72] (unknown [94.252.72.152]) by zimbra.iongroup.lu (Postfix) with ESMTPSA id B2F64CDA001; Sun, 19 Jun 2011 14:46:18 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Steve Clement In-Reply-To: <201106172123.44466.rsimmons0@gmail.com> Date: Sun, 19 Jun 2011 14:43:10 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <3ECF8BF7-6F3F-4AA3-AE0B-7328C284F6FD@localhost.lu> References: <201106172123.44466.rsimmons0@gmail.com> To: rsimmons0@gmail.com X-Pgp-Agent: GPGMail 1.3.3 X-Mailer: Apple Mail (2.1084) Cc: freebsd-security@freebsd.org Subject: Re: gpg keys on USB drive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 13:00:31 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jun 18, 2011, at 3:23 AM, Robert Simmons wrote: > I have been reading up on keeping encryption secret keys on a USB = thumb drive=20 > so that there is an "air gap" so to speak except when the drive is = inserted in=20 > the machine and mounted. Good idea, just make sure you have a "Backup" of your Thumb Drive. I usually have 2 thumb-drives that sync between each other but I also do = an encrypted on-disk Backup. USB Sticks tend to break rather fast and that jeopardizes your valuable = keys. >=20 > Is it possible to replace all the files in my home directory with = symbolic=20 > links to the corresponding files in the USB drive? This seems easy, = but how=20 > can I be sure in FreeBSD that the symlinks will always work when the = drive is=20 > plugged in? I have noticed that the device is sometimes different = depending on=20 > what other USB devices are plugged in and where they are plugged in. >=20 The symlinks defo work for gpg/mutt/firefox/thunderbird etc... I have a rather old mock-up to achieve what you want to achieve: http://localhost.lu:8081/GeneralProtection > Also, other than the obvious drawback of needing to remember where the = drive=20 > is, and plug it in, are there any drawbacks to keeping keysets such as = for=20 > OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive? >=20 I think loosing the key is the biggest drawback. So better be sure to = not be messy :) Also bare in mind that your Rootkit does scan for removable media so = it's no real protection against that kind of attack. > Lastly, using geli to create a passphrase based encrypted provider ON = the USB=20 > drive before storing everything on there would increase its security, = no? Maybe, see drawbacks. cheers, - --=20 Steve Clement https://www.twitter.com/SteveClement mailto:steve@localhost.lu .lu: +352 20 333 55 65 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJN/e7eAAoJEGmiD1Cb5K7pr7MQAOO19F/NNybpmN42UcijpK2y rjrdbaosRAwqXu7eoXAT7wimCWYO0q9+EuIUQuancZXx7mQLChsNo+HXNfROVyfW FpUZjtqBGahoqfnfep22wdhkkbqqKKMlhHr6o9EGeEWxA6rjfXPuZ9um3pAV7xMT 5V3Ag4RvTRIRI8E5+hQ+FrgL041mBfLxsTJ4rzH/EmNxCQT1l9zcpt5AwdOuuVbJ JB6J8qsutAyOYfsawr0+rDBk/eqE8BejWTGKMZFi7j+3wJEdotR2nG3VgNdTRAB8 AAFsg0wm7ldDAkTteZa+9xumyIqozFYucKeW0aL/8munaBKNzEKiSicTwTdpt4zS jUqkEVd5EZb75zgCkiCdBlKNDsgk89Ux0VgX5ibHXf3TmNeyVmZAlPjtTS2KaLmq AiGu/rQnesB/+VxEojWq2Dvf2uEy6lhzXrGPJCgJD/6yZD9vM64IQyGmv55qs+pv EXVWtDAsboBRS2xwFw18XTRV5NKp+HFnfRF1sLT6dZ6duFBTzN1F1h4DiO8daQba aCvlLkYnBp1xjdlxeoMyUH9z4FRul2WEYc3B3AKHjSJrRNAt3Vfn7P3rb/GMBJ5n b988UA2einERYA1GFmoalDbdoYAYBa6Sd1DOiHc4VnmQNhR8sCoLs74dFsn/eUIY NQ91jMIOoIpUMkGrC8wS =3DkQZL -----END PGP SIGNATURE-----