Re: Key management using a USB key
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Am Do den 17. Mär 2005 um 14:13 schriebst Du:
> > o Especially on laptops, it might be interesting to also encrypt all of
> > /home and/or other parts of the harddrive to make the data unusuable
> > without the USB key. But how to integrate this with the other
> > requirements?
>
> I know of someone who set up a solution so the crypto partitions will
> not be mounted if the smartcard is not plugged in.
I made such a solution using cfs for my own laptop. I do that by
mounting a encrypted dir and then setting $HOME to the new home.
Unfortunable not all applications take care for $HOME. Most important
gimp or pan and some other.
I only do "crypthome newhome" to use it. The directory can be generated
by:
gpg --gen-random 2 16 | gpg --symmetric > key.gpg
gpg < key.gpg | cmkdir -b -- newhome
mv key.gpg newhome/..p
Here how I did this (part of .bashrc):
cryptmount()
{
if [ "X$1" == "X" ]; then
echo "Please specify a directory!"
return 1
fi
if [ -d /crypt/$1 ]; then
echo "Directory still mounted!"
return 0
fi
if _testcrypt "$1" "$1.gpg"; then
CDIR="$1"
CPWFILE="$1.gpg"
elif _testcrypt ".$1" ".$1.gpg"; then
CDIR=".$1"
CPWFILE=".$1.gpg"
elif _testcrypt "$1" "$1/..p"; then
CDIR="$1"
CPWFILE="$1/..p"
elif _testcrypt ".$1" ".$1/..p"; then
CDIR=".$1"
CPWFILE=".$1/..p"
elif _testcrypt "$HOME/$1" "$HOME/$1.gpg"; then
CDIR="$HOME/$1"
CPWFILE="$HOME/$1.gpg"
elif _testcrypt "$HOME/.$1" "$HOME/.$1.gpg"; then
CDIR="$HOME/.$1"
CPWFILE="$HOME/.$1.gpg"
elif _testcrypt "$1"; then
CDIR="$1"
CPWFILE=""
elif _testcrypt ".$1"; then
CDIR=".$1"
CPWFILE=""
elif _testcrypt "$HOME/$1"; then
CDIR="$HOME/$1"
CPWFILE=""
elif _testcrypt "$HOME/.$1"; then
CDIR="$HOME/.$1"
CPWFILE=""
else
echo "File $1 not found!"
return 1
fi
if [ "X$CPWFILE" == "X" ]; then
cattach $CDIR $1
else
gpg < $CPWFILE | cattach -- $CDIR $1
fi
return $?
}
crypthome()
{
cryptmount $1 || return 1
sleep 1
until [ -d /crypt/$1 ]; do
sleep 1
done
cd /crypt/$1 && herehome
echo "Home directory chaged to /crypt/$1."
}
Regards
Klaus Ethgen
- --
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iQEVAwUBQjmSvZ+OKpjRpO3lAQKZgAgAg4u6ybSUfCCPMHm00fYSzsn+rLwi+/wp
h4m+W+vwdpPczYlkTxIKkmzLHXMdv0qnsUa37kijU4KdaVOvxQbsCcWdI3Z5yw9Q
lheUU06Zm6YNCJlm30Vavb+hhCxK1jGLrIAwb5AxeE4dtdBAGifjzauF9ilwOooN
Tq7Wqh27kn+v8VTsWzsqoLCBSLnn4YSnGHtTVqhkCiFWt6kMgiqzVcBLBfXdktIl
xKjNTE9Zn534G3yKcrxXY4SuUmANt+fliSt7WPPfXDgt8u6YG5cCpJQTjjXivTaC
4pm7IvpMpcY6bSqgDr5gZzeJ8tHEA7FKJOQjLFVBMelJ4Yz1EEE4PQ==
=zhfn
-----END PGP SIGNATURE-----
Reply to: