[Dshield] Requiring a key-pair to mount a volume

Stasiniewicz, Adam stasinia at msoe.edu
Mon Dec 19 16:49:50 GMT 2005


Not to start a flame war, I just want clear up some Windows FUD.  

1. EFS is as portable as any other PKI product listed here.  You can
export/import your EFS key (and those of others) from the certificate
manager (Start | Run | certmgr.msc).
2. Just like with every other PKI implementation, if you don't backup
your key you will loss your data.  But EFS has the ability to specify a
Recovery Agent.  Basically a Recovery Agent allows you to specify a
certificate that when any file is EFS encrypted to an end user
certification it is also encrypted to the recovery agent's certificate.
This way if the user losses his key, the recovery agent can use his key
to decrypt the file.  The setting for this can be found in a GPO under
Computer Configuration | Windows Settings | Security Settings | Public
Key Policies | Encrypting File System.  To my knowledge, the only other
products that support such a mandatory secondary key are fairly
expensive (products made by RSA, Verisign, PGP come to mind).
3. EFS does support multiple users.  Just like every other PKI product,
you need to get the target person's certificate on your computer
(certmgr.msc).  Then from the target file's properties menu, select
Advanced | Details | Add | Select other user's certificate.
4. EFS does work on USB keys, as long as you format it with NTFS.

Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 
MSCE: Messaging & Security 2003 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Stephane Grobety
Sent: Monday, December 19, 2005 9:31 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Requiring a key-pair to mount a volume

Hello Anthony,

Excuse me is this message is a bit large: I included a couple of
sample scripts that should help you solve your problem.

First, I would suggest you avoid using EFS. It's a pretty sure way of
losing all your data is a short time. This feature is really a gadget
more than anything else as it has numerous problems (no support for
multiple accounts, extremely poor portability between systems, etc).
It's really only useful if you want to encrypt a folder on a personal
computer (not on removable media).

Now, there are numerous tools that will allow you to create a virtual
drive (as a file) and mount it as a new partition. Most use password
protection but some will also allow for PKI. I would advise against
PGPDisk, though: it has a tendency to corrupt files (mostly these that
use record-locking and concurrent access) and it's extremely

I would suggest you have a look at TrueCrypt which is pretty good but
requires you to enter a password (and, optionally, provide a keyfile)
to mount a volume. It has a traveller mode designed for USB drives and
other removable devices. It's also free and open source.

You could also have a look at DriveCrypt. It is not freeware but
includes support for PKI protection. It's made by the company that
wrote E4M on which TrueCrypt is also based so their feature set are
pretty close. It can, however, make use of keys stored on USB tokens,
smart card, fingerprint readers or any PKCS#11 compatible containers.
It will not, however, work with key pairs from the certificate store.
price is around 50$ IIRC.

Finally, you could use some scripting to achieve your exact goal. Here
is how:

1/ Get an encryption product that can create encrypted volumes
protected by a passphrase.
2/ Get a X509 certificate and matching key pair. You do not need to
sign it with a CA if you don't want to (you're not going to use this
for digital signing, just for encryption). Make
3/ Generate an encrypted volme protected by a long and complex
passphrase (just don't use space: it'll be easier).
4/ Download and register CAPICOM.dll from Microsoft. This dll allows
easy access to the CryptoAPI functions and the system's secure store.
5/ Create a script file that will decrypt the passphrase (see exemple

The advantage of this method is that you can keep a copy of the
passphrase on a secure system or simply printed out on a piece of
paper stored in a safe. You can also make that passphrase as long as
you want since you won't have to type it in. The exemple I give is
more or less transparent: you can put the call to decryptfile.vbs into
an autorun batch file and it'll be executed whenever you plug de
device in (e.g "cscript decrypt.vbs keyfile.txt"). Please note that
the certificate is protected by your windows logon account. You can
make variations that use the current system account to allow anyone
using the same machine as you to mount the encrypted volume. If you
lose your USB key, no one will be able to decrypt the keyfile to
retreive the passphrase. Total cost: 0$ if you use TrueCrypt.

If you want the sample script in a more convenient format (i.e. zipped
and attached), please contact me off list.

First file called "Encrypt.vbs". You'll use it to create a key file
that contains your passphrase:
---- Encrpyt.vbs ----
' Retreive the argument list
Set objArgs = WScript.Arguments
if objArgs.Count <> 2 then
  Wscript.Echo "This script takes 2 parameters: first one is the name of
the target file, second is the data to encrypt"
  KeyFileName = objArgs(0)
  ClearText = objArgs(1)
  ' This part deals with the encryption
  ' Some useful constants for CAPICOM
  ' Create the CAPICOM store object
  Set store = CreateObject("CAPICOM.Store")
  ' Open the store containing the certificate you want to use.
  ' The current parameters only displays the certificates that have been
loaded in the current user's personal store
  ' Optionally, you could use the machine store (Make sure it has the
proper certificate loaded)
  ' The certificate does not need to be valid to be used and you do not
need to have access to the
  ' private key here. It will, however, be necessary to have access to
that private key to decrypt the message
  ' Trigger the certificate selection dialog
  Set certificates = store.certificates.Select
  If certificates.Count >= 1 Then
    ' Pick the first certificate of the list
    Set certificate = certificates.Item(1)
    ' Create an envelopped data object. It's the easier way to encrypt
the file
    Set EnvelopedData = CreateObject("CAPICOM.EnvelopedData")
    ' Assigne the input data to the certificate store
    EnvelopedData.Content = ClearText
    ' Indicates what key pair we should use for encryption.
    EnvelopedData.Recipients.Add certificate
    ' Do the actual encryption
    CipherText = EnvelopedData.Encrypt(CAPICOM_ENCODE_BASE64)
        ' Create the key file
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        Set objTextFile = objFSO.CreateTextFile(KeyFileName, true)
    objTextFile.Write CipherText
  End If
end if
---- end Encrpyt.vbs ----

The second file is simpler. It will decrypt the key file and pass the
argument to your application. You'll need to change the list maked
"CHANGE THIS LINE" at the end with a call to your application.

---- Decrpyt.vbs ----
Set objArgs = WScript.Arguments
if  objArgs.Count <> 1 then
  Wscript.Echo "This script takes 1 parameter: the name of the key file"
  KeyFileName = objArgs(0)
  ' Read the key file
  set objFSO = CreateObject("Scripting.FileSystemObject")
  Const ForReading = 1
  Set objTextFile = objFSO.OpenTextFile(KeyFileName, forReading)
  cipherText = objTextFile.ReadAll

  Set EnvelopedData = CreateObject("CAPICOM.EnvelopedData")

  ' Decryption is really easy: just call decrypt with the ciphertext as
  ' The library will automatically locate the proper private key is you
have accees to it
  ' and, optionally, ask for the related password
  EnvelopedData.Decrypt cipherText
  ClearText = EnvelopedData.Content
  ' This part calls TrueCrypt with some sample parameters to mount an
encrypted file as a volume
  ' Change it to fit your needs
  Set WshShell = CreateObject("WScript.Shell")
  WshShell.Exec "trueCrypt.exe /P """ + ClearText + """ /v myvolume.dat
/l U /m rm" ' <-------- CHANGE THIS LINE
 end if
---- end Decrpyt.vbs ----

Note that some lines might get wrapped by your mailer so you might
need reformatting.

Good luck,

Friday, December 16, 2005, 6:46:41 PM, you wrote:

AR> Greetings,

AR> Like many folks, I use a USB thumb drive and was wondering if there

AR> was a way of allowing it to mount only on machines that had the  
AR> appropriate half of a PKI pair, or requiring a passphrase to unlock
AR> keypair in order to mount the drive.

AR> The object would be to prevent someone mounting the drive on their  
AR> machine if I lost it.

Learn about Intrusion Detection in Depth from the comfort of your own

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list