Date: Sun, 19 Jun 2011 14:43:10 +0200 From: Steve Clement <steve@localhost.lu> To: rsimmons0@gmail.com Cc: freebsd-security@freebsd.org Subject: Re: gpg keys on USB drive Message-ID: <3ECF8BF7-6F3F-4AA3-AE0B-7328C284F6FD@localhost.lu> In-Reply-To: <201106172123.44466.rsimmons0@gmail.com> References: <201106172123.44466.rsimmons0@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jun 18, 2011, at 3:23 AM, Robert Simmons wrote: > I have been reading up on keeping encryption secret keys on a USB = thumb drive=20 > so that there is an "air gap" so to speak except when the drive is = inserted in=20 > the machine and mounted. Good idea, just make sure you have a "Backup" of your Thumb Drive. I usually have 2 thumb-drives that sync between each other but I also do = an encrypted on-disk Backup. USB Sticks tend to break rather fast and that jeopardizes your valuable = keys. >=20 > Is it possible to replace all the files in my home directory with = symbolic=20 > links to the corresponding files in the USB drive? This seems easy, = but how=20 > can I be sure in FreeBSD that the symlinks will always work when the = drive is=20 > plugged in? I have noticed that the device is sometimes different = depending on=20 > what other USB devices are plugged in and where they are plugged in. >=20 The symlinks defo work for gpg/mutt/firefox/thunderbird etc... I have a rather old mock-up to achieve what you want to achieve: http://localhost.lu:8081/GeneralProtection > Also, other than the obvious drawback of needing to remember where the = drive=20 > is, and plug it in, are there any drawbacks to keeping keysets such as = for=20 > OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive? >=20 I think loosing the key is the biggest drawback. So better be sure to = not be messy :) Also bare in mind that your Rootkit does scan for removable media so = it's no real protection against that kind of attack. > Lastly, using geli to create a passphrase based encrypted provider ON = the USB=20 > drive before storing everything on there would increase its security, = no? Maybe, see drawbacks. cheers, - --=20 Steve Clement https://www.twitter.com/SteveClement mailto:steve@localhost.lu .lu: +352 20 333 55 65 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJN/e7eAAoJEGmiD1Cb5K7pr7MQAOO19F/NNybpmN42UcijpK2y rjrdbaosRAwqXu7eoXAT7wimCWYO0q9+EuIUQuancZXx7mQLChsNo+HXNfROVyfW FpUZjtqBGahoqfnfep22wdhkkbqqKKMlhHr6o9EGeEWxA6rjfXPuZ9um3pAV7xMT 5V3Ag4RvTRIRI8E5+hQ+FrgL041mBfLxsTJ4rzH/EmNxCQT1l9zcpt5AwdOuuVbJ JB6J8qsutAyOYfsawr0+rDBk/eqE8BejWTGKMZFi7j+3wJEdotR2nG3VgNdTRAB8 AAFsg0wm7ldDAkTteZa+9xumyIqozFYucKeW0aL/8munaBKNzEKiSicTwTdpt4zS jUqkEVd5EZb75zgCkiCdBlKNDsgk89Ux0VgX5ibHXf3TmNeyVmZAlPjtTS2KaLmq AiGu/rQnesB/+VxEojWq2Dvf2uEy6lhzXrGPJCgJD/6yZD9vM64IQyGmv55qs+pv EXVWtDAsboBRS2xwFw18XTRV5NKp+HFnfRF1sLT6dZ6duFBTzN1F1h4DiO8daQba aCvlLkYnBp1xjdlxeoMyUH9z4FRul2WEYc3B3AKHjSJrRNAt3Vfn7P3rb/GMBJ5n b988UA2einERYA1GFmoalDbdoYAYBa6Sd1DOiHc4VnmQNhR8sCoLs74dFsn/eUIY NQ91jMIOoIpUMkGrC8wS =3DkQZL -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ECF8BF7-6F3F-4AA3-AE0B-7328C284F6FD>