Re: Need advice: Storing EFS, S/MIME, VPN certs on USB token

From: Paul Lange (pel@spaceship.com)
Date: 12/08/02 

From: pel@spaceship.com (Paul Lange)
Date: 7 Dec 2002 15:45:16 -0800

Mr. Abell,

I ask this question primarily with EFS in mind. I work off of a
laptop most of the time, and I'd like to begin storing encrypted files
on it with EFS.

However, it does not make sense philosophically to keep the key to
your encrypted files on the same device as the encrypted files.
Granted, it is protected by the master key encrypting the cert store,
but if my laptop is stolen, all bets are off.

I have to trust that the encryption protecting the cert store can't be
hacked, and I'm not sure that Microsoft has earned that trust yet.
They made a mess of that situation with Win2k. And, again, it just
doesn't make sense to me to keep the decryption cert on the same
device as the encrypted files.

>From a security standpoint, yes, a USB token with a cert in the clear
can be easily stolen and manipulated. However, chances are, I will
still have the encrypted files somewhere else. I can revoke the
stolen cert and rekey everything. If my laptop is stolen, I can
revoke the cert, but I can't do that for the EFS files on the laptop.

So I turn to USB devices. I have looked at smart cards, and I have
looked at the proprietary equivalent of smart cards in USB tokens. I
like those options, but I want to minimize the bulge in my pocket.
I'm already carrying a RSA SecurID token. I'll soon be carrying a USB
HDD for holding Palm device files and mp3s. Add to that a proprietary
smart card / USB token solution, and I'm up to three devices plus my
car keys and the other obligatory pocket Stuff.

At this point, to help consolidate some of these, I'm willing to take
the risk of keeping my cert in the clear on my USB HDD. As far as
backup goes, I can always put a copy of the cert on a floppy and keep
it somewhere safe in case I lose the USB HDD to misplacement,
accident, or theft.

However, I don't like having to do the manual export/import game every
time I need to encrypt or decrypt. That's a pain I'd like to avoid,
if possible.

 - Paul Lange

"Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message news:<OcTBH1AnCHA.2344@TK2MSFTNGP10>...
> "Paul Lange" <pel@spaceship.com> wrote in message
> news:6ea0366c.0212041533.7260f57f@posting.google.com...
> > I have become interested in the use of certs for EFS, S/MIME, and VPN
> > tunnels under Windows XP Professional. However, I am concerned about
> > security, and I would like to have the private key of the cert(s) for
> > those services saved on a removable device.
> >
> > Ideally, I would like to be able to save a cert to a USB keychain HDD
> > and have XP query that device when it comes time to use the private
> > key of the cert. However, I would also like to use the USB keychain
> > HDD for something other than a cert store, say perhaps a file store
> > for use with additional devices.
> >
> > What options exist out there to address this need?
> >
> > Thanks in advance,
> >
> > - Paul Lange
>
> The Certificates mmc snap-in is used to export
> certificates, with and without the private key.
> You can then copy (and should, followed by
> a delete) the exported off to other storage.
> Some usb ramdrives come with software that
> partitions the storage into an encrypted and a
> non-encrypted part.
> However, in order for XP to use a cert or the
> private key one must first import these. So,
> if you export them and have them removed
> from the certificate store (using the Certificates
> interface) you would have to get them back
> into the Certificates store before they could be
> used.
> Finally, one must question why you want to do
> this since the certificates store is most likely a
> safer place to keep these compared to a usb
> keychain device. I do appreciate the ease and
> portability. It is just that the certificates store
> is protected with some rather deep strategy and
> strong algorithmic technology, which you may
> be underestimating.

Relevant Pages

  • Re: Need advice: Storing EFS, S/MIME, VPN certs on USB token
    ... into the OS's secure store. ... > your encrypted files on the same device as the encrypted files. ... > Granted, it is protected by the master key encrypting the cert store, ... > So I turn to USB devices. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: opening an encrypted files
    ... >that drive I create encrypted files (using XP Pro's built-in EFS). ... I want to be able to access those files when I plug that USB ... link in the world - a solid password that hardly any home user bothers ...
    (microsoft.public.windowsxp.general)
  • Re: opening an encrypted files
    ... I have a USB external drive that I plug into my desktop computer. ... However, I want to be able to access those files when I plug that USB drive into another computer, and I have not been able to figure out how to do it. ... I need step-by-step instructions for reading the EFS encrypted files on the portable usb hard drive when that drive is plugged into a computer other than the one on which the files were originally encrypted. ...
    (microsoft.public.windowsxp.general)
  • encrypted files (NTFS EFS) on external USB drive
    ... I need to put NTFS EFS files on a USB external drive and then be able to ... I've created the drive and EFS encrypted files, and they work -- on the ... that this would give me access to the files on the target. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: ntfs with encrypted files
    ... If the User does not have their Cert available (would be on the PC they were using when copying the data), you need to use that PC's Administrator Certificate. ... Subject: ntfs with encrypted files ... Is there any possibility to restore the data? ...
    (Debian-User)