Storing passwords on USB key

For a while, I’ve been using my USB key to store sensitive informations such as my private keys or passwords.

I’m using a loop-aes encrypted partition image stored in a file on my USB key, which is automatically mounted whenever necessary.

I store my GPG and SSH private keys files on this partition, and wrappers to the tools mount the partition before launching the original tool.

The USB key regular files (a FAT16 partition) are mounted through udev scripts. I used the script keyloader available at http://www.hardeman.nu/~david/keyload/ and described in http://lists.debian.org/debian-devel/2005/03/msg00408.html. I made a few changes to address the use of a VFAT primary partition in /dev/sda1 instead of a filesystem directly on /dev/sda. The udev setup is put in /etc/udev/rules.d/010-local.rules.

After having created an iso image of the partition with gpg on the USB key, it will be loaded by my scripts to /mnt/crypto-partition.

Here is the corresponding declaration in /etc/fstab :

/mnt/cryptkey/loop-aes/partition.bin /mnt/crypto-partition ext2 defaults,user,noauto,sync,dirsync,rw,loop=/dev/loop3,encryption=AES128,gpgkey=/mnt/cryptkey/loop-aes/keyfile.gpg 0 0

My wraper scripts use quintuple-agent to store in memory the passphrase used for the mount command of the iso crypto partition.

Add loop to /etc/modules

Setup udev so that my device is always associated to a specific device name instead of the standard (and potentially confusing, if other USB key devices are plugged-in already) device nodes.
This article describes setting-up udev : http://www.debian-administration.org/articles/126

Various links related to this (unsorted… maybe some day I’ll take time to clean this article 😉 :

  • http://www.debian-administration.org/articles/127
  • http://www.chiark.greenend.org.uk/pipermail/debian-uk/2004-February/009720.html
  • http://lists.debian.org/debian-devel/2005/03/msg00281.html
  • http://www.seanius.net/linux/keyloader/
  • http://www.gentoo.org/proj/en/keychain/index.xml

Update 2006/02/24 : Looks like I had never published this post… now it’s done.

2 thoughts on “Storing passwords on USB key”

  1. Pingback: WebLog Olivier Berger » Encrypted USB keys made easy with GNU/Linux
  2. Pingback: Encrypted USB keys made easy with GNU/Linux « WebLog Pro Olivier Berger

Leave a Reply

Your email address will not be published.