Re: Key management using a USB key
On Tue, Mar 08, 2005 at 12:46:46AM +0100, David Härdeman wrote:
I've been meaning for some time to get a USB key to manage private keys
(such as gpg, ssh, etc), but it's not until recently that I tried to sit
down and sketch on how to implement it (filesystem layout,
functionality, which parts are encrypted and accessed at which points in
time etc). It turns out that it was not as obious as I thought.
[...]
It would be very interesting to hear how others manage this...
Ok, based on the script from Sean Finney and the feedback from the
others (thanks all!). I've written a rough draft of how *I* would like
things to work.
It's divided into three parts, and also requires the keychain tool[1].
The first file, is a simple udev rule which creates a /dev/cryptdisk
node when the appropriate usb key is inserted (proper as decided by the
various conditions which one can list in a udev rule). It can be placed
in /etc/udev/rules.d/cryptkey.rules.
Then, a script which is run after the appropriate device node is created
or removed. This script is plopped into /etc/dev.d/block/cryptdisk.dev.
This script mounts the drive, checks who it belongs to (by reading the
"keyowner" file in the root dir of the USB key), mounts it again with
the proper permissions for that user and then calls the third piece.
The third script, which is run as the user who "owns" the key,
loads the ssh keys from the usb key and into ssh-agent. The advantage is
that this script can also be called from eg. .xsession to load keys from
usb devices which were already present during boot. It also allows one
to load keys even if X isn't running.
The scripts are a bit rough at the moment, I wrote them in a hurry, but
I'll clean them up a bit more later, I wanted to get something through
the door. They "work-for-me" right now (loading keys, with ssh-askpass
dialogue, and removing them when the usb key is removed).
I'll work more on the scripts during the weekend (adding some of the
TODO's, documentation).
Regards,
David
[1] http://www.gentoo.org/proj/en/keychain/index.xml
[2] http://www.hardeman.nu/~david/keyload/
PS
Right now, the scripts are licensed under a "david-owes-sean-a-pizza"
license =)
Reply to: