[Dshield] Requiring a key-pair to mount a volume

Stephane Grobety security at admin.fulgan.com
Mon Dec 19 15:31:26 GMT 2005

Hello Anthony,

Excuse me is this message is a bit large: I included a couple of
sample scripts that should help you solve your problem.

First, I would suggest you avoid using EFS. It's a pretty sure way of
losing all your data is a short time. This feature is really a gadget
more than anything else as it has numerous problems (no support for
multiple accounts, extremely poor portability between systems, etc).
It's really only useful if you want to encrypt a folder on a personal
computer (not on removable media).

Now, there are numerous tools that will allow you to create a virtual
drive (as a file) and mount it as a new partition. Most use password
protection but some will also allow for PKI. I would advise against
PGPDisk, though: it has a tendency to corrupt files (mostly these that
use record-locking and concurrent access) and it's extremely

I would suggest you have a look at TrueCrypt which is pretty good but
requires you to enter a password (and, optionally, provide a keyfile)
to mount a volume. It has a traveller mode designed for USB drives and
other removable devices. It's also free and open source.

You could also have a look at DriveCrypt. It is not freeware but
includes support for PKI protection. It's made by the company that
wrote E4M on which TrueCrypt is also based so their feature set are
pretty close. It can, however, make use of keys stored on USB tokens,
smart card, fingerprint readers or any PKCS#11 compatible containers.
It will not, however, work with key pairs from the certificate store.
price is around 50$ IIRC.

Finally, you could use some scripting to achieve your exact goal. Here
is how:

1/ Get an encryption product that can create encrypted volumes
protected by a passphrase.
2/ Get a X509 certificate and matching key pair. You do not need to
sign it with a CA if you don't want to (you're not going to use this
for digital signing, just for encryption). Make
3/ Generate an encrypted volme protected by a long and complex
passphrase (just don't use space: it'll be easier).
4/ Download and register CAPICOM.dll from Microsoft. This dll allows
easy access to the CryptoAPI functions and the system's secure store.
5/ Create a script file that will decrypt the passphrase (see exemple

The advantage of this method is that you can keep a copy of the
passphrase on a secure system or simply printed out on a piece of
paper stored in a safe. You can also make that passphrase as long as
you want since you won't have to type it in. The exemple I give is
more or less transparent: you can put the call to decryptfile.vbs into
an autorun batch file and it'll be executed whenever you plug de
device in (e.g "cscript decrypt.vbs keyfile.txt"). Please note that
the certificate is protected by your windows logon account. You can
make variations that use the current system account to allow anyone
using the same machine as you to mount the encrypted volume. If you
lose your USB key, no one will be able to decrypt the keyfile to
retreive the passphrase. Total cost: 0$ if you use TrueCrypt.

If you want the sample script in a more convenient format (i.e. zipped
and attached), please contact me off list.

First file called "Encrypt.vbs". You'll use it to create a key file
that contains your passphrase:
---- Encrpyt.vbs ----
' Retreive the argument list
Set objArgs = WScript.Arguments
if objArgs.Count <> 2 then
  Wscript.Echo "This script takes 2 parameters: first one is the name of the target file, second is the data to encrypt"
  KeyFileName = objArgs(0)
  ClearText = objArgs(1)
  ' This part deals with the encryption
  ' Some useful constants for CAPICOM
  ' Create the CAPICOM store object
  Set store = CreateObject("CAPICOM.Store")
  ' Open the store containing the certificate you want to use.
  ' The current parameters only displays the certificates that have been loaded in the current user's personal store
  ' Optionally, you could use the machine store (Make sure it has the proper certificate loaded)
  ' The certificate does not need to be valid to be used and you do not need to have access to the
  ' private key here. It will, however, be necessary to have access to that private key to decrypt the message
  ' Trigger the certificate selection dialog
  Set certificates = store.certificates.Select
  If certificates.Count >= 1 Then
    ' Pick the first certificate of the list
    Set certificate = certificates.Item(1)
    ' Create an envelopped data object. It's the easier way to encrypt the file
    Set EnvelopedData = CreateObject("CAPICOM.EnvelopedData")
    ' Assigne the input data to the certificate store
    EnvelopedData.Content = ClearText
    ' Indicates what key pair we should use for encryption.
    EnvelopedData.Recipients.Add certificate
    ' Do the actual encryption
    CipherText = EnvelopedData.Encrypt(CAPICOM_ENCODE_BASE64)
        ' Create the key file
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        Set objTextFile = objFSO.CreateTextFile(KeyFileName, true)
    objTextFile.Write CipherText
  End If
end if
---- end Encrpyt.vbs ----

The second file is simpler. It will decrypt the key file and pass the
argument to your application. You'll need to change the list maked
"CHANGE THIS LINE" at the end with a call to your application.

---- Decrpyt.vbs ----
Set objArgs = WScript.Arguments
if  objArgs.Count <> 1 then
  Wscript.Echo "This script takes 1 parameter: the name of the key file"
  KeyFileName = objArgs(0)
  ' Read the key file
  set objFSO = CreateObject("Scripting.FileSystemObject")
  Const ForReading = 1
  Set objTextFile = objFSO.OpenTextFile(KeyFileName, forReading)
  cipherText = objTextFile.ReadAll

  Set EnvelopedData = CreateObject("CAPICOM.EnvelopedData")

  ' Decryption is really easy: just call decrypt with the ciphertext as parameter
  ' The library will automatically locate the proper private key is you have accees to it
  ' and, optionally, ask for the related password
  EnvelopedData.Decrypt cipherText
  ClearText = EnvelopedData.Content
  ' This part calls TrueCrypt with some sample parameters to mount an encrypted file as a volume
  ' Change it to fit your needs
  Set WshShell = CreateObject("WScript.Shell")
  WshShell.Exec "trueCrypt.exe /P """ + ClearText + """ /v myvolume.dat /l U /m rm" ' <-------- CHANGE THIS LINE
 end if
---- end Decrpyt.vbs ----

Note that some lines might get wrapped by your mailer so you might
need reformatting.

Good luck,

Friday, December 16, 2005, 6:46:41 PM, you wrote:

AR> Greetings,

AR> Like many folks, I use a USB thumb drive and was wondering if there  
AR> was a way of allowing it to mount only on machines that had the  
AR> appropriate half of a PKI pair, or requiring a passphrase to unlock a  
AR> keypair in order to mount the drive.

AR> The object would be to prevent someone mounting the drive on their  
AR> machine if I lost it.

More information about the list mailing list