ti, 2005-06-28 kello 17:38 +0200, Christian Storch kirjoitti: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Radu Spineanu wrote: > > > Hello > > > > I working on a small project, and i have a problem related to > > keeping gpg private keys stored on usb drives secure when working > > with them. > > > > My problem is that in case the machine is compromised, if the usb > > with the key is mounted the attacker has access to it. > > > > Has anyone heard of an implementation, or at least a whitepaper > > related to creating some kind of secure zone where i can keep these > > keys ? > > It's a logical problem: If somone has compromised your machine > there would be >no< possibility to make a difference between a > legitimate user > and an intruder. > So he would possibly be able to read your private key! > > The only absolute solution would be a kind of intelligent usb drive > which is accepting > a file to decrypt or sign and offer the result. > So somebody could use the key as long as you leave your usb drive in > your machine, > but not any longer! > Unfortunatly science fiction at the moment. ;)
Not really: you just need to use a gpg-compatible smart card and buy a smart card reader. In this case your secret keys are always on the smartcard and any signing or whatever can only be done with the card. I just bought a gemplus GemPC PCMCIA smartcard reader, and still waiting for OpenPGP cards for basic use. In addition the Finnish HST identity cards just got new models with 64k storage, will get that as well... (http://www.sahkoinenhenkilokortti.fi/default.asp?todo=setlang&lang=uk) The reader will sit in one of my laptop's pcmcia slots permanently, that's why I got such model and not USB reader: just insert the card when you need it... btw the reader was easy to install with sarge and ubuntu. In addition to pgp-key storage smart cards can support for example login with the card (libpam-opensc and libpam-musclecard, depending what you really want). So, for each user, you will spend about 10-40 dollars/euros for the smartcards and in addition all systems must have a smart card reader. *hile* -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
