Re: gpg keys on USB drive





On Fri, Jun 17, 2011 at 09:23:43PM -0400, Robert Simmons wrote:
I have been reading up on keeping encryption secret keys on a USB thumb drive
so that there is an "air gap" so to speak except when the drive is inserted in
the machine and mounted.

Is it possible to replace all the files in my home directory with symbolic
links to the corresponding files in the USB drive? This seems easy, but how
can I be sure in FreeBSD that the symlinks will always work when the drive is
plugged in? I have noticed that the device is sometimes different depending on
what other USB devices are plugged in and where they are plugged in.

Also, other than the obvious drawback of needing to remember where the drive
is, and plug it in, are there any drawbacks to keeping keysets such as for
OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive?

Lastly, using geli to create a passphrase based encrypted provider ON the USB
drive before storing everything on there would increase its security, no?

Checkout /etc/devd.conf where you can match that USB device specifically
with some entries and fire a script to perform whatever ``action''
neccesary to achieve the conditions that you have to meet. There should
be sufficient examples in that file already that would give you a head
start & clue of what to add.

This might not be your best choice if your not comfortable with
scripting though.

Attachment: pgpuEYtBZeb1T.pgp
Description: PGP signature



Relevant Pages