Michael Orlitzky <mich...@orlitzky.com> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 03/19/2013 11:28 PM, Michael Mol wrote: >> >> Not so much. The idea would be that you could power cycle the >> device to get access to it again. The device would be read for the >> keys at system bootup, but then would shut itself off after a few >> minutes to prevent the keys from being read from disk. (There's >> still the risk of them being read from the memory of the process >> using them, but that's slightly more difficult, and security is all >> about raising the bar.) >> > >Eject the USB drive after five minutes? This raises the bar >significantly, to "has tried to send the 'close CD tray' command to a >USB stick before." > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2.0.19 (GNU/Linux) > >iQIcBAEBAgAGBQJRSTmpAAoJEBxJck0inpOiKusP/1sVI0A5hbT1pE8yRu+Ydn5W >j+O6o9j+r2Tqzkay0/tXPWs8HJlM7c8yQcaRvQoCiau2mQzitSk+nLxCPh/GLpis >2d49ihFKmVFk7qrIzMkrHoV4XRc2jVfgiEq+n8W5dYpODPCX9N4MQidgiYePnZ52 >YEtxijEkfPk73j5jPoJh6SNWtzrdLUC6DH4mmghqgmZcn4glkhWpqIU6U/tj4hJT >iN67F5g0g8YSIQNTBsTO/TLrQmrHdb/iT2v9hTxeL+Ly+xjHKJmSikP+f0rOOrQn >vXbJHGk2IAgajDHcdG3jDJvoQDgA0vl+uJ/i4tj++rwMNNXxX7MmFq9qGqGGjBp4 >nwFVJn9QGMHq2boDXISXlz+zNcjLWcaxNrXQiqSB5sqnbvjg27/NCDaQG8+ZgWzX >a/JGLqu3l7LoribH54E51PGdpKiiooDgYjgQkB9ZrSM6/X14JftqWavEALrLQXfM >ud32XTgMGiBVqyjtGQ4VDS2KtQnZAWhORMQJvOx3nwApUiXOlyX8xoyazYetnTaC >pZFgYRgmNYQodweJNrpz28EekEhwr1A/HHYhe5ANqUSO44xZBhsfEhtz0ycVd0ok >2JnCC4WwmQtqifD4S3hEsn4BN1XvxCH8YhXV6S+ApD9bo22ybZFw7f54tMSV0L/d >brkafk2u3Bhnh2yFr+6k >=pX91 >-----END PGP SIGNATURE-----
I don't think it is possible to un-eject a usb-drive without powercycling it. And why wait 5 minutes to eject it? Simply do that as soon as the keys are read? Extra option: Stick the usbdisk driver as a module in a ramdisk and then rmmod it. Remove the module from disk And use module signing. From what I understand. The keys for that are generated at compile time? And you can delete them from the kernel sources after compiling. -- Joost -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
