[Dshield] Requiring a key-pair to mount a volume

Frank Knobbe frank at knobbe.us
Sat Dec 17 23:05:28 GMT 2005


On Fri, 2005-12-16 at 09:46 -0800, Anthony Rodgers wrote:
> Like many folks, I use a USB thumb drive and was wondering if there  
> was a way of allowing it to mount only on machines that had the  
> appropriate half of a PKI pair, or requiring a passphrase to unlock a  
> keypair in order to mount the drive.

You have several options. I think someone mentioned EFS and PGP Virtual
Disks. You also can use programs like PCGuardian to transparently
encrypt the whole drive.

Since you said "mount" I assume you are using Linux or BSD. I'm using a
USB drive myself running FreeBSD 6. My laptop is configured to boot from
USB first, then hard drive. So when the USB thumb drive is not inserted,
it boots straight into my XP game partition.

However, when the USB thumb drive is inserted, the system will boot from
it. On it is my FBSD root file system. It will then
mount /var, /usr, /tmp, and the swap partition which reside on the hard
disk and are encrypted with GBDE (GEOM Based Disk Encryption). The
encryption keys reside on the USB thumb drive. During boot, it will
"unlock" the partitions, mount them, and then run BSD as normal.

The advantage is that /var, /usr, /tmp, and even the swap partition are
transparently encrypted. If you were to snag the laptop, you won't be
able to get to the data, unless you have a couple hundred or thousand
years for a brute force attack. Since the root file system can't be
encrypted and it contains /etc with passwords and such, leaving that (or
a working copy) on the drive wasn't an option for me, so I'm just
keeping it on the thumb drive. Since that is in my pocket on my key
chain, it's not available when you steal my laptop. Conversely, the USB
drive alone won't allow you to get to my data anywhere (/root does not
contain SSH keys, only my user account on /usr).

The danger of course is a lost/destroyed thumb drive. I strongly
recommend you make a couple copies (dd will suffice) in case the primary
gets lost or stolen. Feel free to prep a second thumb drive and keep it
in your safe.

Hope that helps.
Cheers,
Frank




-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20051217/62dba366/attachment.bin


More information about the list mailing list