Re: Key management using a USB key

To: debian-devel@lists.debian.org
Subject: Re: Key management using a USB key
From: David Härdeman <david@2gen.com>
Date: Thu, 10 Mar 2005 02:15:09 +0100
Message-id: <[🔎] 20050310011508.GA3540@hardeman.nu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20050307234645.GA8450@hardeman.nu>
References: <[🔎] 20050307234645.GA8450@hardeman.nu>

On Tue, Mar 08, 2005 at 12:46:46AM +0100, David Härdeman wrote:

I've been meaning for some time to get a USB key to manage private keys(such as gpg, ssh, etc), but it's not until recently that I tried to sitdown and sketch on how to implement it (filesystem layout,functionality, which parts are encrypted and accessed at which points intime etc). It turns out that it was not as obious as I thought.


[...]

It would be very interesting to hear how others manage this...

Ok, based on the script from Sean Finney and the feedback from theothers (thanks all!). I've written a rough draft of how *I* would likethings to work.

It's divided into three parts, and also requires the keychain tool[1].The first file, is a simple udev rule which creates a /dev/cryptdisknode when the appropriate usb key is inserted (proper as decided by thevarious conditions which one can list in a udev rule). It can be placedin /etc/udev/rules.d/cryptkey.rules.

Then, a script which is run after the appropriate device node is createdor removed. This script is plopped into /etc/dev.d/block/cryptdisk.dev.This script mounts the drive, checks who it belongs to (by reading the"keyowner" file in the root dir of the USB key), mounts it again withthe proper permissions for that user and then calls the third piece.

The third script, which is run as the user who "owns" the key,loads the ssh keys from the usb key and into ssh-agent. The advantage isthat this script can also be called from eg. .xsession to load keys fromusb devices which were already present during boot. It also allows oneto load keys even if X isn't running.

The scripts are a bit rough at the moment, I wrote them in a hurry, butI'll clean them up a bit more later, I wanted to get something throughthe door. They "work-for-me" right now (loading keys, with ssh-askpassdialogue, and removing them when the usb key is removed).

I'll work more on the scripts during the weekend (adding some of theTODO's, documentation).


Regards,
David

[1] http://www.gentoo.org/proj/en/keychain/index.xml
[2] http://www.hardeman.nu/~david/keyload/

PS

Right now, the scripts are licensed under a "david-owes-sean-a-pizza"license =)

Reply to:

References:
- Key management using a USB key
  - From: David Härdeman <david@2gen.com>

Prev by Date: Re: Shouldn't kernel-image-2.6.x-y-z depend on alsa-base ?
Next by Date: Re: Shouldn't kernel-image-2.6.x-y-z depend on alsa-base ?
Previous by thread: Re: Key management using a USB key
Next by thread: Key management using a USB key
Index(es):
- Date
- Thread