I think what you are looking for is a USB Smartcard. I had a problem like this when using encryption on ATM (banking) devices. The keys were vulnerable to someone coming after them on the filesystem.
I found the solution in USB format smartcards. The private key is loaded into the secure memory space, or generated there. Messages are then passed into the device to decrypt the symetric key. The private key is never exposed and it is very difficult to use voltage differential to get the key off the smartcard. The down side is that the operations are slow. Something on the order of 1second per transaction. If you are doing a lot of processes, that can quickly become a bottleneck. My application only needed a single decrypt per hour so overhead wasn't an issue. GL Steven These might be useful http://www.opensc.org/news.php http://www.musclecard.com/sourcedrivers.html -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Radu Spineanu wrote: > Hello > > I working on a small project, and i have a problem related to keeping > gpg private keys stored on usb drives secure when working with them. > > My problem is that in case the machine is compromised, if the usb with > the key is mounted the attacker has access to it. > > Has anyone heard of an implementation, or at least a whitepaper > related to creating some kind of secure zone where i can keep these > keys ? It's a logical problem: If somone has compromised your machine there would be >no< possibility to make a difference between a legitimate user and an intruder. So he would possibly be able to read your private key! The only absolute solution would be a kind of intelligent usb drive which is accepting a file to decrypt or sign and offer the result. So somebody could use the key as long as you leave your usb drive in your machine, but not any longer! Unfortunatly science fiction at the moment. ;) Christian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwW7oYqkpSde2O/gRAmaDAJ9G7MbEKx+4WGoxBenwOJYG4HgNdwCgzQlq JT+Ei0XB5OeqdTMwFmtfa2E= =zWZe -----END PGP SIGNATURE-----
