特殊:Badtitle/NS100:GPGKeyOnUSBDrive:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
(未显示2个用户的12个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/GPGKeyOnUSBDrive}} | {{From|https://help.ubuntu.com/community/GPGKeyOnUSBDrive}} | ||
{{Languages| | {{Languages|UbuntuHelp:GPGKeyOnUSBDrive}} | ||
== Storing GPG Keys on an Encrypted USB Flash Drive == | == Storing GPG Keys on an Encrypted USB Flash Drive == | ||
It is often desirable to be able to use a GPG key on more than one computer, for instance at home and at work, or on a desktop and a laptop. Unfortunately, storing encryption keys where you don't have physical control is generally a bad idea. Even storing keys on a laptop can be troublesome--if the laptop gets stolen, so does your GPG key. Luckily, you can probably revoke the key before anybody is able to decrypt it because GPG keys are stored encrypted at all times by default, but that's a hassle. What if you could securely store the key on a device that you always have on your person? | |||
It is often desirable to be able to use a GPG key on more than one computer, for instance at home and at work, or on a desktop and a laptop. Unfortunately, storing encryption keys where you don't have physical control is generally a bad idea. Even storing keys on a laptop can be troublesome--if the laptop gets stolen, so does your GPG key. Luckily, you can probably revoke the key before anybody is able to decrypt it, but that's a hassle. What if you could securely store the key on a device that you always have on your person? | (Note from another reader:Although using your key on a computer that you don't have physical control of is still dangerous, and although your key is already encrypted with a well respected and highly secure encryption algorithm, you may prefer the extreme security of double encryption. There may be a huge number of other things to spend your time on that would increase your security more, but here's how you can encrypt your already encrypted key again, if you so desire. This Howto is very useful just for learning how to set up an encrypted storage area on a USB drive for general usage though.) | ||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconWarning3.png '''IMPORTANT:''' Make sure you make a backup copy of your ~/.gnupg directory '''before''' you do this. The last thing you want to happen is to lose your keyring because something went wrong. | |||
=== dm-crypt === | === dm-crypt === | ||
From the dm-crypt website: " Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 and EVMS 2.x tools. dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. The user can basically specify one of the symmetric ciphers, a key (of any allowed size), an iv generation mode and then he can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you can't access your data." | From the dm-crypt website: " Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 and EVMS 2.x tools. dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. The user can basically specify one of the symmetric ciphers, a key (of any allowed size), an iv generation mode and then he can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you can't access your data." | ||
This is perfect for our needs. We will create an encrypted filesystem inside of a regular file on the USB flash drive, where we will store sensitive data like GnuPG keys. | This is perfect for our needs. We will create an encrypted filesystem inside of a regular file on the USB flash drive, where we will store sensitive data like GnuPG keys. | ||
==== Installing the Software ==== | ==== Installing the Software ==== | ||
First, you will need to install <code><nowiki>cryptsetup</nowiki></code>: | First, you will need to install <code><nowiki>cryptsetup</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install cryptsetup | sudo apt-get install cryptsetup | ||
</nowiki></pre> | </nowiki></pre> | ||
This will also pull in some other necessary dependencies. | This will also pull in some other necessary dependencies. | ||
=== Setting Up the Encrypted Filesystem === | === Setting Up the Encrypted Filesystem === | ||
I store my GPG keys on a cheap, tiny USB flash drive that fits comfortably on my keyring. When I plug it in, it is automatically mounted as <code><nowiki>/media/usbdisk</nowiki></code>. The following sections will assume a similar setup. | I store my GPG keys on a cheap, tiny USB flash drive that fits comfortably on my keyring. When I plug it in, it is automatically mounted as <code><nowiki>/media/usbdisk</nowiki></code>. The following sections will assume a similar setup. | ||
I decided to make my encrypted filesystem live in a regular file rather than its own partition. This requires less tweaking of the disk, and makes mounting and unmounting the encrypted filesystem easier, as you will see later. However, many of the steps in this tutorial can be adapted to use a real partition instead of a regular file. | I decided to make my encrypted filesystem live in a regular file rather than its own partition. This requires less tweaking of the disk, and makes mounting and unmounting the encrypted filesystem easier, as you will see later. However, many of the steps in this tutorial can be adapted to use a real partition instead of a regular file. | ||
==== Creating the File ==== | ==== Creating the File ==== | ||
Before we can make a filesystem, we need a file that is large enough to hold it. This can be accomplished with <code><nowiki>dd</nowiki></code>: | Before we can make a filesystem, we need a file that is large enough to hold it. This can be accomplished with <code><nowiki>dd</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
dd if=/dev/zero of=/media/usbdisk/disk.img bs=1M count=16 | dd if=/dev/zero of=/media/usbdisk/disk.img bs=1M count=16 | ||
</nowiki></pre> | </nowiki></pre> | ||
The above command will make a 16 MB file containing only zeros. Modify the <code><nowiki>count</nowiki></code> option to get your desired encrypted filesystem size. | The above command will make a 16 MB file containing only zeros. Modify the <code><nowiki>count</nowiki></code> option to get your desired encrypted filesystem size. | ||
==== Setting up the Encrypted Loop Device ==== | ==== Setting up the Encrypted Loop Device ==== | ||
Before we can actually create the filesystem on our new file, we need to attach it to a loop device and set up a device-mapper target with encryption. <code><nowiki>losetup -f</nowiki></code> will find the first free loop device, so we will set its output to a variable called <code><nowiki>loopdev</nowiki></code> and use it for several commands: | Before we can actually create the filesystem on our new file, we need to attach it to a loop device and set up a device-mapper target with encryption. <code><nowiki>losetup -f</nowiki></code> will find the first free loop device, so we will set its output to a variable called <code><nowiki>loopdev</nowiki></code> and use it for several commands: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo modprobe | sudo modprobe cryptoloop | ||
sudo modprobe dm-crypt | sudo modprobe dm-crypt | ||
sudo modprobe | sudo modprobe aes_generic | ||
export loopdev=$(sudo losetup -f) | export loopdev=$(sudo losetup -f) | ||
sudo losetup $loopdev /media/usbdisk/disk.img | sudo losetup $loopdev /media/usbdisk/disk.img | ||
sudo cryptsetup -c aes -s 256 -h sha256 -y create usbkey $loopdev | sudo cryptsetup -c aes -s 256 -h sha256 -y create usbkey $loopdev | ||
</nowiki></pre> | </nowiki></pre> | ||
This will set up the file with 256-bit AES encryption, hashing the passphrase you issue through SHA-256. | This will set up the file with 256-bit AES encryption, hashing the passphrase you issue through SHA-256. | ||
After it's set up, it's a good idea to remove the usbkey device-mapper device and re-run cryptsetup to make sure that you didn't mistype the initial password (I say this from experience...): | After it's set up, it's a good idea to remove the usbkey device-mapper device and re-run cryptsetup to make sure that you didn't mistype the initial password (I say this from experience...): | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo cryptsetup remove usbkey | sudo cryptsetup remove usbkey | ||
sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev | sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev | ||
</nowiki></pre> | </nowiki></pre> | ||
If all goes well, we're ready for the next step! | If all goes well, we're ready for the next step! | ||
==== Creating the Actual Filesystem ==== | ==== Creating the Actual Filesystem ==== | ||
This is the easiest step of all. I chose the <code><nowiki>ext3</nowiki></code> filesystem for its journaling capability, just in case the USB drive gets removed before the filesystem is unmounted. The <code><nowiki>cryptsetup</nowiki></code> command above created the device <code><nowiki>/dev/mapper/usbkey</nowiki></code>, which is a map through dm-crypt to the encrypted filesystem. So, this device appears to the system as a regular old block device, like a hard disk or partition. The following command will create an <code><nowiki>ext3</nowiki></code> filesystem on the encrypted file: | This is the easiest step of all. I chose the <code><nowiki>ext3</nowiki></code> filesystem for its journaling capability, just in case the USB drive gets removed before the filesystem is unmounted. The <code><nowiki>cryptsetup</nowiki></code> command above created the device <code><nowiki>/dev/mapper/usbkey</nowiki></code>, which is a map through dm-crypt to the encrypted filesystem. So, this device appears to the system as a regular old block device, like a hard disk or partition. The following command will create an <code><nowiki>ext3</nowiki></code> filesystem on the encrypted file: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkfs.ext3 /dev/mapper/usbkey | sudo mkfs.ext3 /dev/mapper/usbkey | ||
</nowiki></pre> | </nowiki></pre> | ||
Now, try mounting the filesystem: | Now, try mounting the filesystem: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkdir -p / | sudo mkdir -p /media/encrypted | ||
sudo mount -t ext3 /dev/mapper/usbkey / | sudo mount -t ext3 /dev/mapper/usbkey /media/encrypted | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Setting up GnuPG on the Encrypted Filesystem === | === Setting up GnuPG on the Encrypted Filesystem === | ||
Now, make a <code><nowiki>.gnupg</nowiki></code> directory in <code><nowiki>/media/encrypted</nowiki></code>, make it owned by your user, and link it to your own <code><nowiki>~/.gnupg</nowiki></code> (if you already have a <code><nowiki>.gnupg</nowiki></code> directory, move it out of the way first): | |||
Now, make a <code><nowiki>.gnupg</nowiki></code> directory in <code><nowiki>/ | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkdir / | sudo mkdir /media/encrypted/.gnupg | ||
sudo chown $UID.$UID / | sudo chown $UID.$UID /media/encrypted/.gnupg | ||
chmod 0700 / | chmod 0700 /media/encrypted/.gnupg | ||
ln -s / | ln -s /media/encrypted/.gnupg ~/.gnupg | ||
</nowiki></pre> | </nowiki></pre> | ||
Now, create a GnuPG key as described in [[UbuntuHelp:GPGKey|GPGKey]] or, if you already have a key, move the files in your old <code><nowiki>.gnupg</nowiki></code> directory into the new one, possibly using <code><nowiki>shred</nowiki></code> or <code><nowiki>wipe</nowiki></code> to securely remove the old files. | |||
Now, create a GnuPG key as described in [[UbuntuHelp:GPGKey]] or, if you already have a key, move the files in your old <code><nowiki>.gnupg</nowiki></code> directory into the new one, possibly using <code><nowiki>shred</nowiki></code> or <code><nowiki>wipe</nowiki></code> to securely remove the old files. | |||
=== Making Things Easier === | === Making Things Easier === | ||
==== Simplifying the Mount Process ==== | ==== Simplifying the Mount Process ==== | ||
It's not really fun to type three or four commands each time you want to mount your encrypted filesystem. So, I wrote two really simple scripts for mounting and unmounting. Before using these, you should unmount your filesystem and detach the loop device: | It's not really fun to type three or four commands each time you want to mount your encrypted filesystem. So, I wrote two really simple scripts for mounting and unmounting. Before using these, you should unmount your filesystem and detach the loop device: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo umount / | sudo umount /media/encrypted | ||
sudo cryptsetup remove usbkey | sudo cryptsetup remove usbkey | ||
sudo losetup -d $loopdev | sudo losetup -d $loopdev | ||
</nowiki></pre> | </nowiki></pre> | ||
Now, save the following as <code><nowiki>mount.sh</nowiki></code> in the root of your USB drive (not in the encrypted filesystem!): | Now, save the following as <code><nowiki>mount.sh</nowiki></code> in the root of your USB drive (not in the encrypted filesystem!): | ||
<pre><nowiki> | |||
#!/bin/bash | |||
dir=`dirname $0` | |||
loopdev=$(sudo losetup -f) | |||
sudo -p "Password (sudo): " modprobe cryptoloop && \ | |||
sudo modprobe dm-crypt && \ | |||
sudo modprobe aes_generic && \ | |||
sudo mkdir -p /media/encrypted && \ | |||
sudo losetup $loopdev $dir/disk.img && \ | |||
sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev && \ | |||
sudo mount -t ext3 /dev/mapper/usbkey /media/encrypted && \ | |||
sudo chown -R $UID.$UID /media/encrypted/ | |||
</nowiki></pre> | |||
Then, save the following as <code><nowiki>umount.sh</nowiki></code> in the same place: | Then, save the following as <code><nowiki>umount.sh</nowiki></code> in the same place: | ||
<pre><nowiki> | |||
#!/bin/bash | |||
loopdev=$(sudo cryptsetup status usbkey | grep device | sed -e "s/ *device:[ \t]*//") | |||
sync | |||
sudo umount /media/encrypted | |||
sudo cryptsetup remove usbkey | |||
sudo losetup -d $loopdev | |||
</nowiki></pre> | |||
You may not be able to execute these scripts directly, since the default auto-mounting options prohibit running executables. But, since they are shell scripts, you can simply pass them on to <code><nowiki>sh</nowiki></code>. So, once the USB drive has been mounted, you can simply type: | |||
<pre><nowiki> | <pre><nowiki> | ||
sh /media/usbdisk/mount.sh | sh /media/usbdisk/mount.sh | ||
</nowiki></pre> | </nowiki></pre> | ||
and all the work will be done for you! (Of course, you will need the encryption password, and you may be asked for a password for <code><nowiki>sudo</nowiki></code>.) | and all the work will be done for you! (Of course, you will need the encryption password, and you may be asked for a password for <code><nowiki>sudo</nowiki></code>.) | ||
==== Verifying PGP Signatures Without the Encrypted Filesystem ==== | ==== Verifying PGP Signatures Without the Encrypted Filesystem ==== | ||
You might want to be able to verify a signed message without needing to mount the encrypted filesystem. To facilitate this, simply copy the public keyring and the trust database file to the "real" <code><nowiki>.gnupg</nowiki></code> directory: | You might want to be able to verify a signed message without needing to mount the encrypted filesystem. To facilitate this, simply copy the public keyring and the trust database file to the "real" <code><nowiki>.gnupg</nowiki></code> directory: | ||
<pre><nowiki> | <pre><nowiki> | ||
cp / | cp /media/encrypted/.gnupg/{pubring,trustdb}.gpg /tmp | ||
sh /media/usbdisk/umount.sh | sh /media/usbdisk/umount.sh | ||
sudo mv /tmp/{pubring,trustdb}.gpg | sudo mv /tmp/{pubring,trustdb}.gpg ~/.gnupg | ||
</nowiki></pre> | </nowiki></pre> | ||
Now, when the encrypted filesystem is not mounted, you will see those files in your <code><nowiki>.gnupg</nowiki></code> directory, so that <code><nowiki>gpg --verify</nowiki></code> will work. But when it is mounted, you will see the files that are actually in the encrypted filesystem. | Now, when the encrypted filesystem is not mounted, you will see those files in your <code><nowiki>.gnupg</nowiki></code> directory, so that <code><nowiki>gpg --verify</nowiki></code> will work. But when it is mounted, you will see the files that are actually in the encrypted filesystem. | ||
---- | ---- | ||
CategorySecurity | [[category:CategorySecurity]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2010年5月19日 (三) 22:32的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/GPGKeyOnUSBDrive }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/af | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Afrikaans| [[::GPGKeyOnUSBDrive/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ar | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|العربية| [[::GPGKeyOnUSBDrive/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/az | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|azərbaycanca| [[::GPGKeyOnUSBDrive/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/bcc | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|جهلسری بلوچی| [[::GPGKeyOnUSBDrive/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/bg | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|български| [[::GPGKeyOnUSBDrive/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/br | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|brezhoneg| [[::GPGKeyOnUSBDrive/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ca | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|català| [[::GPGKeyOnUSBDrive/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/cs | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|čeština| [[::GPGKeyOnUSBDrive/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/de | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Deutsch| [[::GPGKeyOnUSBDrive/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/el | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Ελληνικά| [[::GPGKeyOnUSBDrive/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/es | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|español| [[::GPGKeyOnUSBDrive/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/fa | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|فارسی| [[::GPGKeyOnUSBDrive/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/fi | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|suomi| [[::GPGKeyOnUSBDrive/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/fr | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|français| [[::GPGKeyOnUSBDrive/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/gu | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|ગુજરાતી| [[::GPGKeyOnUSBDrive/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/he | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|עברית| [[::GPGKeyOnUSBDrive/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/hu | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|magyar| [[::GPGKeyOnUSBDrive/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/id | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Bahasa Indonesia| [[::GPGKeyOnUSBDrive/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/it | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|italiano| [[::GPGKeyOnUSBDrive/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ja | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|日本語| [[::GPGKeyOnUSBDrive/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ko | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|한국어| [[::GPGKeyOnUSBDrive/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ksh | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Ripoarisch| [[::GPGKeyOnUSBDrive/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/mr | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|मराठी| [[::GPGKeyOnUSBDrive/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ms | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Bahasa Melayu| [[::GPGKeyOnUSBDrive/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/nl | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Nederlands| [[::GPGKeyOnUSBDrive/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/no | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|norsk| [[::GPGKeyOnUSBDrive/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/oc | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|occitan| [[::GPGKeyOnUSBDrive/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/pl | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|polski| [[::GPGKeyOnUSBDrive/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/pt | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|português| [[::GPGKeyOnUSBDrive/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ro | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|română| [[::GPGKeyOnUSBDrive/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/ru | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|русский| [[::GPGKeyOnUSBDrive/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/si | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|සිංහල| [[::GPGKeyOnUSBDrive/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/sq | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|shqip| [[::GPGKeyOnUSBDrive/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/sr | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|српски / srpski| [[::GPGKeyOnUSBDrive/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/sv | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|svenska| [[::GPGKeyOnUSBDrive/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/th | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|ไทย| [[::GPGKeyOnUSBDrive/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/tr | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Türkçe| [[::GPGKeyOnUSBDrive/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/vi | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|Tiếng Việt| [[::GPGKeyOnUSBDrive/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/yue | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|粵語| [[::GPGKeyOnUSBDrive/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/zh | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|中文| [[::GPGKeyOnUSBDrive/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/zh-hans | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|中文(简体)| [[::GPGKeyOnUSBDrive/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:GPGKeyOnUSBDrive | UbuntuHelp:GPGKeyOnUSBDrive | {{#if: | :}}GPGKeyOnUSBDrive}}/zh-hant | • {{#if: UbuntuHelp:GPGKeyOnUSBDrive|中文(繁體)| [[::GPGKeyOnUSBDrive/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:GPGKeyOnUSBDrive|:GPGKeyOnUSBDrive|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :GPGKeyOnUSBDrive/zh | | {{#ifexist: GPGKeyOnUSBDrive/zh | | {{#ifeq: {{#titleparts:GPGKeyOnUSBDrive|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:GPGKeyOnUSBDrive|1|-1|}} | zh | | }}
Storing GPG Keys on an Encrypted USB Flash Drive
It is often desirable to be able to use a GPG key on more than one computer, for instance at home and at work, or on a desktop and a laptop. Unfortunately, storing encryption keys where you don't have physical control is generally a bad idea. Even storing keys on a laptop can be troublesome--if the laptop gets stolen, so does your GPG key. Luckily, you can probably revoke the key before anybody is able to decrypt it because GPG keys are stored encrypted at all times by default, but that's a hassle. What if you could securely store the key on a device that you always have on your person? (Note from another reader:Although using your key on a computer that you don't have physical control of is still dangerous, and although your key is already encrypted with a well respected and highly secure encryption algorithm, you may prefer the extreme security of double encryption. There may be a huge number of other things to spend your time on that would increase your security more, but here's how you can encrypt your already encrypted key again, if you so desire. This Howto is very useful just for learning how to set up an encrypted storage area on a USB drive for general usage though.) IMPORTANT: Make sure you make a backup copy of your ~/.gnupg directory before you do this. The last thing you want to happen is to lose your keyring because something went wrong.
dm-crypt
From the dm-crypt website: " Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 and EVMS 2.x tools. dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. The user can basically specify one of the symmetric ciphers, a key (of any allowed size), an iv generation mode and then he can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you can't access your data." This is perfect for our needs. We will create an encrypted filesystem inside of a regular file on the USB flash drive, where we will store sensitive data like GnuPG keys.
Installing the Software
First, you will need to install cryptsetup
:
sudo apt-get install cryptsetup
This will also pull in some other necessary dependencies.
Setting Up the Encrypted Filesystem
I store my GPG keys on a cheap, tiny USB flash drive that fits comfortably on my keyring. When I plug it in, it is automatically mounted as /media/usbdisk
. The following sections will assume a similar setup.
I decided to make my encrypted filesystem live in a regular file rather than its own partition. This requires less tweaking of the disk, and makes mounting and unmounting the encrypted filesystem easier, as you will see later. However, many of the steps in this tutorial can be adapted to use a real partition instead of a regular file.
Creating the File
Before we can make a filesystem, we need a file that is large enough to hold it. This can be accomplished with dd
:
dd if=/dev/zero of=/media/usbdisk/disk.img bs=1M count=16
The above command will make a 16 MB file containing only zeros. Modify the count
option to get your desired encrypted filesystem size.
Setting up the Encrypted Loop Device
Before we can actually create the filesystem on our new file, we need to attach it to a loop device and set up a device-mapper target with encryption. losetup -f
will find the first free loop device, so we will set its output to a variable called loopdev
and use it for several commands:
sudo modprobe cryptoloop sudo modprobe dm-crypt sudo modprobe aes_generic export loopdev=$(sudo losetup -f) sudo losetup $loopdev /media/usbdisk/disk.img sudo cryptsetup -c aes -s 256 -h sha256 -y create usbkey $loopdev
This will set up the file with 256-bit AES encryption, hashing the passphrase you issue through SHA-256. After it's set up, it's a good idea to remove the usbkey device-mapper device and re-run cryptsetup to make sure that you didn't mistype the initial password (I say this from experience...):
sudo cryptsetup remove usbkey sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev
If all goes well, we're ready for the next step!
Creating the Actual Filesystem
This is the easiest step of all. I chose the ext3
filesystem for its journaling capability, just in case the USB drive gets removed before the filesystem is unmounted. The cryptsetup
command above created the device /dev/mapper/usbkey
, which is a map through dm-crypt to the encrypted filesystem. So, this device appears to the system as a regular old block device, like a hard disk or partition. The following command will create an ext3
filesystem on the encrypted file:
sudo mkfs.ext3 /dev/mapper/usbkey
Now, try mounting the filesystem:
sudo mkdir -p /media/encrypted sudo mount -t ext3 /dev/mapper/usbkey /media/encrypted
Setting up GnuPG on the Encrypted Filesystem
Now, make a .gnupg
directory in /media/encrypted
, make it owned by your user, and link it to your own ~/.gnupg
(if you already have a .gnupg
directory, move it out of the way first):
sudo mkdir /media/encrypted/.gnupg sudo chown $UID.$UID /media/encrypted/.gnupg chmod 0700 /media/encrypted/.gnupg ln -s /media/encrypted/.gnupg ~/.gnupg
Now, create a GnuPG key as described in GPGKey or, if you already have a key, move the files in your old .gnupg
directory into the new one, possibly using shred
or wipe
to securely remove the old files.
Making Things Easier
Simplifying the Mount Process
It's not really fun to type three or four commands each time you want to mount your encrypted filesystem. So, I wrote two really simple scripts for mounting and unmounting. Before using these, you should unmount your filesystem and detach the loop device:
sudo umount /media/encrypted sudo cryptsetup remove usbkey sudo losetup -d $loopdev
Now, save the following as mount.sh
in the root of your USB drive (not in the encrypted filesystem!):
#!/bin/bash dir=`dirname $0` loopdev=$(sudo losetup -f) sudo -p "Password (sudo): " modprobe cryptoloop && \ sudo modprobe dm-crypt && \ sudo modprobe aes_generic && \ sudo mkdir -p /media/encrypted && \ sudo losetup $loopdev $dir/disk.img && \ sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev && \ sudo mount -t ext3 /dev/mapper/usbkey /media/encrypted && \ sudo chown -R $UID.$UID /media/encrypted/
Then, save the following as umount.sh
in the same place:
#!/bin/bash loopdev=$(sudo cryptsetup status usbkey | grep device | sed -e "s/ *device:[ \t]*//") sync sudo umount /media/encrypted sudo cryptsetup remove usbkey sudo losetup -d $loopdev
You may not be able to execute these scripts directly, since the default auto-mounting options prohibit running executables. But, since they are shell scripts, you can simply pass them on to sh
. So, once the USB drive has been mounted, you can simply type:
sh /media/usbdisk/mount.sh
and all the work will be done for you! (Of course, you will need the encryption password, and you may be asked for a password for sudo
.)
Verifying PGP Signatures Without the Encrypted Filesystem
You might want to be able to verify a signed message without needing to mount the encrypted filesystem. To facilitate this, simply copy the public keyring and the trust database file to the "real" .gnupg
directory:
cp /media/encrypted/.gnupg/{pubring,trustdb}.gpg /tmp sh /media/usbdisk/umount.sh sudo mv /tmp/{pubring,trustdb}.gpg ~/.gnupg
Now, when the encrypted filesystem is not mounted, you will see those files in your .gnupg
directory, so that gpg --verify
will work. But when it is mounted, you will see the files that are actually in the encrypted filesystem.