freebsd security - Jun 2011 - gpg keys on USB drive

I have been reading up on keeping encryption secret keys on a USB thumb drive 
so that there is an "air gap" so to speak except when the drive is
inserted in
the machine and mounted.

Is it possible to replace all the files in my home directory with symbolic 
links to the corresponding files in the USB drive?  This seems easy, but how 
can I be sure in FreeBSD that the symlinks will always work when the drive is 
plugged in?  I have noticed that the device is sometimes different depending on 
what other USB devices are plugged in and where they are plugged in.

Also, other than the obvious drawback of needing to remember where the drive 
is, and plug it in, are there any drawbacks to keeping keysets such as for 
OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive?

Lastly, using geli to create a passphrase based encrypted provider ON the USB 
drive before storing everything on there would increase its security, no?

On Fri, Jun 17, 2011 at 09:23:43PM -0400, Robert Simmons
wrote:
> I have been reading up on keeping encryption secret keys on a USB thumb
drive
> so that there is an "air gap" so to speak except when the drive
is inserted in
> the machine and mounted.
> 
> Is it possible to replace all the files in my home directory with symbolic 
> links to the corresponding files in the USB drive?  This seems easy, but
how
> can I be sure in FreeBSD that the symlinks will always work when the drive
is
> plugged in?  I have noticed that the device is sometimes different
depending on
> what other USB devices are plugged in and where they are plugged in.
> 
> Also, other than the obvious drawback of needing to remember where the
drive
> is, and plug it in, are there any drawbacks to keeping keysets such as for 
> OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive?
> 
> Lastly, using geli to create a passphrase based encrypted provider ON the
USB
> drive before storing everything on there would increase its security, no?
Checkout /etc/devd.conf where you can match that USB device specifically
with some entries and fire a script to perform whatever ``action''
neccesary to achieve the conditions that you have to meet. There should
be sufficient examples in that file already that would give you a head
start & clue of what to add.

This might not be your best choice if your not comfortable with
scripting though.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110619/01c5d22f/attachment.pgp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jun 18, 2011, at 3:23 AM, Robert Simmons wrote:
> I have been reading up on keeping encryption secret keys on a USB thumb
drive
> so that there is an "air gap" so to speak except when the drive
is inserted in
> the machine and mounted.
Good idea, just make sure you have a "Backup" of your Thumb Drive.
I usually have 2 thumb-drives that sync between each other but I also do an
encrypted on-disk Backup.
USB Sticks tend to break rather fast and that jeopardizes your valuable keys.
> 
> Is it possible to replace all the files in my home directory with symbolic 
> links to the corresponding files in the USB drive?  This seems easy, but
how
> can I be sure in FreeBSD that the symlinks will always work when the drive
is
> plugged in?  I have noticed that the device is sometimes different
depending on
> what other USB devices are plugged in and where they are plugged in.
> 
The symlinks defo work for gpg/mutt/firefox/thunderbird etc...

I have a rather old mock-up to achieve what you want to achieve:

http://localhost.lu:8081/GeneralProtection
> Also, other than the obvious drawback of needing to remember where the
drive
> is, and plug it in, are there any drawbacks to keeping keysets such as for 
> OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive?
> 
I think loosing the key is the biggest drawback. So better be sure to not be
messy :)

Also bare in mind that your Rootkit does scan for removable media so it's no
real protection against that kind of attack.
> Lastly, using geli to create a passphrase based encrypted provider ON the
USB
> drive before storing everything on there would increase its security, no?
Maybe, see drawbacks.

cheers,

- -- 
Steve Clement
https://www.twitter.com/SteveClement
mailto:steve@localhost.lu
.lu: +352 20 333 55 65

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJN/e7eAAoJEGmiD1Cb5K7pr7MQAOO19F/NNybpmN42UcijpK2y
rjrdbaosRAwqXu7eoXAT7wimCWYO0q9+EuIUQuancZXx7mQLChsNo+HXNfROVyfW
FpUZjtqBGahoqfnfep22wdhkkbqqKKMlhHr6o9EGeEWxA6rjfXPuZ9um3pAV7xMT
5V3Ag4RvTRIRI8E5+hQ+FrgL041mBfLxsTJ4rzH/EmNxCQT1l9zcpt5AwdOuuVbJ
JB6J8qsutAyOYfsawr0+rDBk/eqE8BejWTGKMZFi7j+3wJEdotR2nG3VgNdTRAB8
AAFsg0wm7ldDAkTteZa+9xumyIqozFYucKeW0aL/8munaBKNzEKiSicTwTdpt4zS
jUqkEVd5EZb75zgCkiCdBlKNDsgk89Ux0VgX5ibHXf3TmNeyVmZAlPjtTS2KaLmq
AiGu/rQnesB/+VxEojWq2Dvf2uEy6lhzXrGPJCgJD/6yZD9vM64IQyGmv55qs+pv
EXVWtDAsboBRS2xwFw18XTRV5NKp+HFnfRF1sLT6dZ6duFBTzN1F1h4DiO8daQba
aCvlLkYnBp1xjdlxeoMyUH9z4FRul2WEYc3B3AKHjSJrRNAt3Vfn7P3rb/GMBJ5n
b988UA2einERYA1GFmoalDbdoYAYBa6Sd1DOiHc4VnmQNhR8sCoLs74dFsn/eUIY
NQ91jMIOoIpUMkGrC8wS
=kQZL
-----END PGP SIGNATURE-----