On Thu, 2005-03-03 at 17:54 +0100, Jose Gonzalez Gomez wrote: > > > I would like to put some sensitive information in my USB > > > stick, so I can take it with me (ssh private keys,
I had the same issue. I travel a *lot*, and so sooner or later a hard
drive will die, or a laptop will get stolen, or...
So I carry (wear around my neck) a USB key. Whenever I've done more than
a few lines of work on something, I just simple copy it onto the usbkey
- a draft document, some source code - no big deal.
But corporate documents, my archive of presentations, my web site code
and source code-in-progress, taken together, that certainly needs to be
encrypted.
> > Use GPG and encrypt the files.
So a few months ago, I wrote something to make tarballs of important
hierarchies in my home directory and then sign/encrypt them, and then
push them to { usbkey | remote server }. I just use standard GPG
encryption with myself as the recipient.
That, of course, implies I have my private key to decrypt those
tarballs...
> I've been reading a bit about GPG (I haven't used it before) and it
> seems ... only difference between
> them seem to be that GPG trust is based on a decentralized web of
> trust
[ remember that trust is irrelevant if you are using asymmetric
encryption when "sending" something to yourself - you by definition have
the private half of the your own key pair. (In GPG terms, that's
"ultimate trust") ]
> I guess in this case I should include the private key as a unencrypted
> file in my USB stick and protect it with a good password, as it will
> be used whenever I need to decrypt any file. Am I right?
Even more important than all the documents and what-not are my ssh keys
and pgp keys + trustdb. Naturally, if I'm storing those against the
possibility of loosing my machine (naturally causes or otherwise), using
asymmetric encryption is no good because I wouldn't have the private key
available to recover the data!
So, as suggested elsewhere in this thread, I store the private crypto
information in a separate tarball which I encrypt using gpg's symmetric
facility.
++
Naturally, a script to do all this is a natural idea. Well, I wrote one,
and it got out of hand. :) You're welcome to use it. It's called
"geode".
http://www.operationaldynamics.com/reference/software/scripts/#geode
[You'll need to customize it a bit, as it's obviously specific to my
paths and usage cases]
If nothing else it's a good example of how to use some of the more
obscure gpg options.
It's also a good example of how to use zenity (a little command line
front-end for creating GTK dialog boxes). I used it to ask for the pass
phrases and to pop up a progress bar of how far it has worked through
the .tar.bz2 creation.
AfC
Sydney
--
Andrew Frederick Cowie
Managing Director
OPERATIONAL DYNAMICS
A management consultancy in the IT Operations space. We are
available worldwide and specialize in technology strategy,
changes & upgrades, enterprise architecture, and performance
improvement for mission critical systems & the people who
run them.
Sydney: +61 2 9977 6866
New York: +1 646 472 5054
Toronto: +1 416 848 6072
London: +44 207 1019201
http://www.operationaldynamics.com/
signature.asc
Description: This is a digitally signed message part
