[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Key management using a USB key

On Tue, Mar 08, 2005 at 12:46:46AM +0100, David Härdeman wrote:
I've been meaning for some time to get a USB key to manage private keys (such as gpg, ssh, etc), but it's not until recently that I tried to sit down and sketch on how to implement it (filesystem layout, functionality, which parts are encrypted and accessed at which points in time etc). It turns out that it was not as obious as I thought.


It would be very interesting to hear how others manage this...

Ok, based on the script from Sean Finney and the feedback from the others (thanks all!). I've written a rough draft of how *I* would like things to work.

It's divided into three parts, and also requires the keychain tool[1]. The first file, is a simple udev rule which creates a /dev/cryptdisk node when the appropriate usb key is inserted (proper as decided by the various conditions which one can list in a udev rule). It can be placed in /etc/udev/rules.d/cryptkey.rules.

Then, a script which is run after the appropriate device node is created or removed. This script is plopped into /etc/dev.d/block/cryptdisk.dev. This script mounts the drive, checks who it belongs to (by reading the "keyowner" file in the root dir of the USB key), mounts it again with the proper permissions for that user and then calls the third piece.

The third script, which is run as the user who "owns" the key, loads the ssh keys from the usb key and into ssh-agent. The advantage is that this script can also be called from eg. .xsession to load keys from usb devices which were already present during boot. It also allows one to load keys even if X isn't running.

The scripts are a bit rough at the moment, I wrote them in a hurry, but I'll clean them up a bit more later, I wanted to get something through the door. They "work-for-me" right now (loading keys, with ssh-askpass dialogue, and removing them when the usb key is removed).

I'll work more on the scripts during the weekend (adding some of the TODO's, documentation).


[1] http://www.gentoo.org/proj/en/keychain/index.xml
[2] http://www.hardeman.nu/~david/keyload/

Right now, the scripts are licensed under a "david-owes-sean-a-pizza" license =)

Reply to: