Re: Key management using a USB key

To: debian-devel@lists.debian.org
Subject: Re: Key management using a USB key
From: Mowgli <Mowgli@ethgen.de>
Date: Thu, 17 Mar 2005 15:22:53 +0100
Message-id: <[🔎] 20050317142253.GA25051@ikki>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20050317131332.GA15837@mbwg.de>
References: <[🔎] 20050307234645.GA8450@hardeman.nu> <[🔎] 20050317131332.GA15837@mbwg.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Am Do den 17. Mär 2005 um 14:13 schriebst Du:
> > o Especially on laptops, it might be interesting to also encrypt all of
> > /home and/or other parts of the harddrive to make the data unusuable
> > without the USB key. But how to integrate this with the other
> > requirements?
> 
> I know of someone who set up a solution so the crypto partitions will
> not be mounted if the smartcard is not plugged in.

I made such a solution using cfs for my own laptop. I do that by
mounting a encrypted dir and then setting $HOME to the new home.
Unfortunable not all applications take care for $HOME. Most important
gimp or pan and some other.

I only do "crypthome newhome" to use it. The directory can be generated
by:
gpg --gen-random 2 16 | gpg --symmetric > key.gpg
gpg < key.gpg | cmkdir -b -- newhome
mv key.gpg newhome/..p

Here how I did this (part of .bashrc):

cryptmount()
{
   if [ "X$1" == "X" ]; then
      echo "Please specify a directory!"
      return 1
   fi
   if [ -d /crypt/$1 ]; then
      echo "Directory still mounted!"
      return 0
   fi
   if _testcrypt "$1" "$1.gpg"; then
      CDIR="$1"
      CPWFILE="$1.gpg"
   elif _testcrypt ".$1" ".$1.gpg"; then
      CDIR=".$1"
      CPWFILE=".$1.gpg"
   elif _testcrypt "$1" "$1/..p"; then
      CDIR="$1"
      CPWFILE="$1/..p"
   elif _testcrypt ".$1" ".$1/..p"; then
      CDIR=".$1"
      CPWFILE=".$1/..p"
   elif _testcrypt "$HOME/$1" "$HOME/$1.gpg"; then
      CDIR="$HOME/$1"
      CPWFILE="$HOME/$1.gpg"
   elif _testcrypt "$HOME/.$1" "$HOME/.$1.gpg"; then
      CDIR="$HOME/.$1"
      CPWFILE="$HOME/.$1.gpg"
   elif _testcrypt "$1"; then
      CDIR="$1"
      CPWFILE=""
   elif _testcrypt ".$1"; then
      CDIR=".$1"
      CPWFILE=""
   elif _testcrypt "$HOME/$1"; then
      CDIR="$HOME/$1"
      CPWFILE=""
   elif _testcrypt "$HOME/.$1"; then
      CDIR="$HOME/.$1"
      CPWFILE=""
   else
      echo "File $1 not found!"
      return 1
   fi
   if [ "X$CPWFILE" == "X" ]; then
      cattach $CDIR $1
   else
      gpg < $CPWFILE | cattach -- $CDIR $1
   fi
   return $?
}
crypthome()
{
   cryptmount $1 || return 1
   sleep 1
   until [ -d /crypt/$1 ]; do
      sleep 1
   done
   cd /crypt/$1 && herehome
   echo "Home directory chaged to /crypt/$1."
}

Regards
   Klaus Ethgen
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iQEVAwUBQjmSvZ+OKpjRpO3lAQKZgAgAg4u6ybSUfCCPMHm00fYSzsn+rLwi+/wp
h4m+W+vwdpPczYlkTxIKkmzLHXMdv0qnsUa37kijU4KdaVOvxQbsCcWdI3Z5yw9Q
lheUU06Zm6YNCJlm30Vavb+hhCxK1jGLrIAwb5AxeE4dtdBAGifjzauF9ilwOooN
Tq7Wqh27kn+v8VTsWzsqoLCBSLnn4YSnGHtTVqhkCiFWt6kMgiqzVcBLBfXdktIl
xKjNTE9Zn534G3yKcrxXY4SuUmANt+fliSt7WPPfXDgt8u6YG5cCpJQTjjXivTaC
4pm7IvpMpcY6bSqgDr5gZzeJ8tHEA7FKJOQjLFVBMelJ4Yz1EEE4PQ==
=zhfn
-----END PGP SIGNATURE-----

Reply to:

References:
- Key management using a USB key
  - From: David Härdeman <david@2gen.com>
- Key management using a USB key
  - From: Matthias Kirschner <mk@fsfe.org>

Prev by Date: Re: An idea from a Debian user
Next by Date: Re: .d.o machines which are down (Re: Questions for the DPL candidates)
Previous by thread: Key management using a USB key
Next by thread: (Obsolete) Packages I will ask to be removed from the archive
Index(es):
- Date
- Thread