USB 'disk' for crypto key storage

Contributed by jose on 2003-08-15 from the private-disk-devices dept.

Pete writes: "Hi! As a security consultant, I spend a lot of time travelling & unfortunately often have customer confidential data (with permission) on my Laptop HDD. I use a PowerBook G4 with dualboot OBSD & OSX. Currently I store my confidential data in OSX encrypted disk images. I'm keen to push it over to an OBSD vnode type hideaway. At the same time I'd like to utilise one of these cheap USB keychain dongles to store my de/en - cryption 'keys' on. So my question is does anyone have any experience of this ? e.g which makes are cheap/robust/secure & how do they appear to OBSD (IDE disk or ?)

thanks... "

Actually, I have one of these also with an encrypted filesystem on it, and it's damn handy. I used vnconfig -k, however. Any recipes that don't use that method?

(Comments are closed)

Comments

By Christopher Biggs () unixbigot@pobox.com on 2003-08-15 20:54 mailto:unixbigot@pobox.com

I keep my keys and portable data on Compact Flash (CF) cards.
I have a tiny USB-CF reader, a CF-to-PCMCIA sled, an ATA-to-CF adaptor, and a stack of CF cards of various sizes. This gives me better speed, scalability, cost-effectiveness and future-proofing than USB "flash keys".
CF cards are cheaper (locally) per meg than USB-flash, and I can still interop with systems that don't have USB, such as my elderly laptop.
(BTW, usb-cf and usb-flash appear as SCSI drives, since the usb mass-storage profile uses the scsi command set)
By jenny () ireland@mmathias.com on 2003-08-15 22:28 openbsd.mmathias.com

I use one of those small diameter CD-R's for storing my keyfiles. They are very cheap, you can easily destroy them and there might even be CD-RW's out there. I think one of those discs can store up to 250 megs and they can be used in any computer that has a CD-ROM drive - no need for a CF slot!
Comments
1. By Nathan Ryan Milford () nmilford@hotmail on 2003-08-15 22:55 mailto:nmilford@hotmail
  
  I don't know how handy those would be with the slot loading drive the powerbook uses. But for tray loading cd drive it's be swell.
2. By Anonymous Coward () on 2003-08-15 23:28
  
  Yup, the CD-RW's are out there. They actually hold more than the CD-R's from the types i've run across so far.
3. By jenny () ireland@mmathias.com on 2003-08-16 07:46 openbsd.mmathias.com
  
  yes, i can really recommend using them. you can even burn some of your favorite music and listen to it on your car cd player (if it supports the small diameter cds). :-)
4. By Anonymous Coward () on 2003-08-18 12:49
  
  Those will *not* work with slot loading cd drives. :(
By Anonymous Coward () on 2003-08-15 23:49

Wasn't there some part of FreeBSD (GEOS or something) that was imported that would let it do encrypted FS in a way that doesn't suck (ie, vnode)?
By Anonymous Coward () on 2003-08-16 04:07

Install PAM and pam_usb module.
It runs fine on my Linux laptop and only when I insert my usb key and type in my password I can mount the encrypted filesystem
By jose () on 2003-08-16 09:36 http://monkey.org/~jose/

i use a 64 MB USB key for private files, and i used dd to create a large file, vnconfig -k to use the file as a filesystem with an encryption key, and then i just mount the vnd0 device as a disk afer that. easy as pie ...
Comments
1. By Chris Hilton () ecks@vindaloo.com on 2003-08-20 01:30 mailto:ecks@vindaloo.com
  
  I use a Memorex 256Mb USB flash drive to hold all of my ssh keys. The mount of the pendrive is handled by amd. The keys are stored on a cfs encrypted directory. A simple script pulls up ssh-askpass to get the cfs volume's passphrase, handles the attach, adds the keys to my ssh-agent and then disassembles the whole thing. The primary security is in the fact that the cattach times out after like 10 seconds and the keys are on the USB thumbdrive with me.
  
  -- Chris
  Comments
  1. By Chris Hilton () ecks@vindaloo.com on 2003-08-20 12:54 http://www.vindaloo.com/~chris
    
    I got a question in email about how I did this. I posted the steps at my website: pendrive-ssh-keys It's really rough. Send me questions --Chris
By Anonymous Coward () on 2003-08-17 01:13

When I need to encrypt some files fast&easy, I just put them in a tarball, and encrypt that:
$ tar cvzf - ./* | openssl enc -bf -out encrypted.tgz
(don't forget to wipe out the original files)

and to decrypt it again:
$ openssl enc -bf -d -in encrypted.tgz | tar xvzf -

It's not perfect, but it's nice for safely transporting sensitive data, eg. on a floppy/cdrom.
By Anonymous Coward () on 2003-08-16 16:42

Dug Song has a script you may want to look at:
http://www.monkey.org/~dugsong/tmp/aestar
By ann onimous () on 2003-08-17 05:08

GPG anyone?
Comments
1. By Anonymous Coward () on 2003-08-17 10:02
  
  We're all lazy bums, and gpg has to be installed, while openssh comes with default install :) lol
  
  No, seriously, of course GPG is an option too!

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]