From owner-freebsd-security@FreeBSD.ORG Sun Jun 19 02:48:59 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FA8C1065674 for ; Sun, 19 Jun 2011 02:48:59 +0000 (UTC) (envelope-from cmdlnkid@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id CF0C68FC0A for ; Sun, 19 Jun 2011 02:48:58 +0000 (UTC) Received: by iwr19 with SMTP id 19so2991079iwr.13 for ; Sat, 18 Jun 2011 19:48:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to; bh=KsFTwIeQpPJkMZXoCTHrGJoeUYJa5vMgfw/y4t5HDeQ=; b=S0A8MBB9mdyyK9s0E47CB89K2iReNZlc2HTUxXw6JSmMm5g5FgvKZkQnm2gHtwFeIP 4Jxn+LI+5xSW4uj2QZCjnunMqJfd9QaRsMfb/ghIHsTHxaKXA/7hr6QZ8WLLWuhx4FtK 2zzBeMmaPF/ev86xX9GJj99Vb+pyEVHb/rT5w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; b=C+PgTUSL16wH2TP4zGm8DBtvOZbaqIi+VvQPIcJA7TZRA3EgOv612VhtXMSRjlIE+h E7o8qw1O9sblO7BneeVLi5GrSLmycih/M/Pi3v1z1fi/p9e4gOOPCD86Y324B25Gh1Ba JkckVcDEM8AVUtSRzgUHsUNsDAxumvGZjsZL0= Received: by 10.42.142.138 with SMTP id s10mr4361130icu.422.1308451738162; Sat, 18 Jun 2011 19:48:58 -0700 (PDT) Received: from DataIX.net ([108.73.113.243]) by mx.google.com with ESMTPS id v15sm2350255ibh.28.2011.06.18.19.48.57 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 18 Jun 2011 19:48:57 -0700 (PDT) Sender: The Command Line Kid Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p5J2mtsc011297 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 18 Jun 2011 22:48:55 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p5J2msSd011288; Sat, 18 Jun 2011 22:48:54 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sat, 18 Jun 2011 22:48:53 -0400 From: jhell To: Robert Simmons Message-ID: <20110619024853.GA2419@DataIX.net> References: <201106172123.44466.rsimmons0@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd" Content-Disposition: inline In-Reply-To: <201106172123.44466.rsimmons0@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: gpg keys on USB drive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 02:48:59 -0000 --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 17, 2011 at 09:23:43PM -0400, Robert Simmons wrote: > I have been reading up on keeping encryption secret keys on a USB thumb d= rive=20 > so that there is an "air gap" so to speak except when the drive is insert= ed in=20 > the machine and mounted. >=20 > Is it possible to replace all the files in my home directory with symboli= c=20 > links to the corresponding files in the USB drive? This seems easy, but = how=20 > can I be sure in FreeBSD that the symlinks will always work when the driv= e is=20 > plugged in? I have noticed that the device is sometimes different depend= ing on=20 > what other USB devices are plugged in and where they are plugged in. >=20 > Also, other than the obvious drawback of needing to remember where the dr= ive=20 > is, and plug it in, are there any drawbacks to keeping keysets such as fo= r=20 > OpenSSH, geli providers, GnuPG, KWallet, and BitCoin on a USB drive? >=20 > Lastly, using geli to create a passphrase based encrypted provider ON the= USB=20 > drive before storing everything on there would increase its security, no? Checkout /etc/devd.conf where you can match that USB device specifically with some entries and fire a script to perform whatever ``action'' neccesary to achieve the conditions that you have to meet. There should be sufficient examples in that file already that would give you a head start & clue of what to add. This might not be your best choice if your not comfortable with scripting though. --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJN/WOVAAoJEJBXh4mJ2FR+WAsH/A4WL9XDjzHgSeLuPOP1H2Tv EJd+xVX3YYYmxcxc5lPKImdtdqcg6u/kdKagWWH8jP/tcukfabOU3ii+ie0JQmiy 3RKK65svOfVABxsYpJ5HfS9AbQFbIQw/LPSLEhCwvVQZmLFgQtgi0ikhs0J/IZSc g9rGXn4HNVEadwECk1c46hZWtvzTUU64tCkHmx943+/EHugMv6BS6EAqJd33Dxe+ StIuy70ff1v9QVR0ML2atLkQC1ns4BndhFhujobISsqHe6CmLJBBTdOD2Nw3SOnY GXrx66NIWMEXbWW7zv0BLouoiGBRln+QseHBDxlgBrR6LKe1lDP5tEiDPegC6Pk= =DLrI -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd--