OpenBSD Journal

USB 'disk' for crypto key storage

Contributed by jose on from the private-disk-devices dept.

Pete writes: "Hi! As a security consultant, I spend a lot of time travelling & unfortunately often have customer confidential data (with permission) on my Laptop HDD. I use a PowerBook G4 with dualboot OBSD & OSX. Currently I store my confidential data in OSX encrypted disk images. I'm keen to push it over to an OBSD vnode type hideaway. At the same time I'd like to utilise one of these cheap USB keychain dongles to store my de/en - cryption 'keys' on. So my question is does anyone have any experience of this ? e.g which makes are cheap/robust/secure & how do they appear to OBSD (IDE disk or ?)

thanks... "

Actually, I have one of these also with an encrypted filesystem on it, and it's damn handy. I used vnconfig -k, however. Any recipes that don't use that method?

(Comments are closed)

  1. By Christopher Biggs () on

    I keep my keys and portable data on Compact Flash (CF) cards.

    I have a tiny USB-CF reader, a CF-to-PCMCIA sled, an ATA-to-CF adaptor, and a stack of CF cards of various sizes. This gives me better speed, scalability, cost-effectiveness and future-proofing than USB "flash keys".

    CF cards are cheaper (locally) per meg than USB-flash, and I can still interop with systems that don't have USB, such as my elderly laptop.

    (BTW, usb-cf and usb-flash appear as SCSI drives, since the usb mass-storage profile uses the scsi command set)

  2. By jenny () on

    I use one of those small diameter CD-R's for storing my keyfiles. They are very cheap, you can easily destroy them and there might even be CD-RW's out there. I think one of those discs can store up to 250 megs and they can be used in any computer that has a CD-ROM drive - no need for a CF slot!

    1. By Nathan Ryan Milford () nmilford@hotmail on mailto:nmilford@hotmail

      I don't know how handy those would be with the slot loading drive the powerbook uses. But for tray loading cd drive it's be swell.

    2. By Anonymous Coward () on

      Yup, the CD-RW's are out there. They actually hold more than the CD-R's from the types i've run across so far.

    3. By jenny () on

      yes, i can really recommend using them. you can even burn some of your favorite music and listen to it on your car cd player (if it supports the small diameter cds). :-)

    4. By Anonymous Coward () on

      Those will *not* work with slot loading cd drives. :(

  3. By Anonymous Coward () on

    Wasn't there some part of FreeBSD (GEOS or something) that was imported that would let it do encrypted FS in a way that doesn't suck (ie, vnode)?

  4. By Anonymous Coward () on

    Install PAM and pam_usb module.
    It runs fine on my Linux laptop and only when I insert my usb key and type in my password I can mount the encrypted filesystem

  5. By jose () on

    i use a 64 MB USB key for private files, and i used dd to create a large file, vnconfig -k to use the file as a filesystem with an encryption key, and then i just mount the vnd0 device as a disk afer that. easy as pie ...

    1. By Chris Hilton () on

      I use a Memorex 256Mb USB flash drive to hold all of my ssh keys. The mount of the pendrive is handled by amd. The keys are stored on a cfs encrypted directory. A simple script pulls up ssh-askpass to get the cfs volume's passphrase, handles the attach, adds the keys to my ssh-agent and then disassembles the whole thing. The primary security is in the fact that the cattach times out after like 10 seconds and the keys are on the USB thumbdrive with me.

      -- Chris

  6. By Anonymous Coward () on

    When I need to encrypt some files fast&easy, I just put them in a tarball, and encrypt that:
    $ tar cvzf - ./* | openssl enc -bf -out encrypted.tgz
    (don't forget to wipe out the original files)

    and to decrypt it again:
    $ openssl enc -bf -d -in encrypted.tgz | tar xvzf -

    It's not perfect, but it's nice for safely transporting sensitive data, eg. on a floppy/cdrom.

  7. By Anonymous Coward () on

    Dug Song has a script you may want to look at:

  8. By ann onimous () on

    GPG anyone?

    1. By Anonymous Coward () on

      We're all lazy bums, and gpg has to be installed, while openssh comes with default install :) lol

      No, seriously, of course GPG is an option too!

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]