From owner-freebsd-security@FreeBSD.ORG Sat Jun 18 01:54:20 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 703EC1065670 for ; Sat, 18 Jun 2011 01:54:20 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2BCB98FC0C for ; Sat, 18 Jun 2011 01:54:19 +0000 (UTC) Received: by qwc9 with SMTP id 9so392103qwc.13 for ; Fri, 17 Jun 2011 18:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:reply-to:to:subject:date:user-agent :mime-version:content-type:content-transfer-encoding:message-id; bh=NUlZYsZEed1AnzxZe98dnxBLNdSX4vI1KkN8C4fDnWE=; b=dDLDmiIiYR1ioa9n0+EhjxJITWC6Af8AqDLry9ApFdnXrIZtH42lVhLrsp88dWCHO8 5A7n8AKf+GgwNos1eVOgwX2gzHaIXQ757SmiEjKocMT/ej4Mzbihl+aD2vBddacfbpW1 E03qxNWsVGMiI/BCQ3PITkxKuMWyxV/24fbnU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:mime-version:content-type :content-transfer-encoding:message-id; b=qs86rspe15GvKMauUxDl8PDvpMiD5dtWVBN8sAh/prsxXYyfmhzAoIuTmtvx9mN7Lm 6eQyya4di0/0F8Xr0aEFj7yc3X84+oOPYfgrt8uWFfBjr2AH4wMTwCO2TEkMoRw2377V TWgNYu2aevclmQbwtKHtP+6iluNpMXnp9aNsI= Received: by 10.224.6.142 with SMTP id 14mr2427145qaz.10.1308360228959; Fri, 17 Jun 2011 18:23:48 -0700 (PDT) Received: from skynet.localnet (pool-108-28-47-226.washdc.fios.verizon.net [108.28.47.226]) by mx.google.com with ESMTPS id m16sm2337390qck.28.2011.06.17.18.23.47 (version=SSLv3 cipher=OTHER); Fri, 17 Jun 2011 18:23:48 -0700 (PDT) From: Robert Simmons To: freebsd-security@freebsd.org Date: Fri, 17 Jun 2011 21:23:43 -0400 User-Agent: KMail/1.13.6 (Linux/2.6.38-8-generic; KDE/4.6.4; i686; ; ) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201106172123.44466.rsimmons0@gmail.com> Subject: gpg keys on USB drive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rsimmons0@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jun 2011 01:54:20 -0000 I have been reading up on keeping encryption secret keys on a USB thumb drive so that there is an "air gap" so to speak except when the drive is inserted in the machine and mounted. Is it possible to replace all the files in my home directory with symbolic links to the corresponding files in the USB drive? This seems easy, but how can I be sure in FreeBSD that the symlinks will always work when the drive is plugged in? I have noticed that the device is sometimes different depending on what other USB devices are plugged in and where they are plugged in. Also, other than the obvious drawback of needing to remember where the drive is, and plug it in, are there any drawbacks to keeping keysets such as for OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive? Lastly, using geli to create a passphrase based encrypted provider ON the USB drive before storing everything on there would increase its security, no?