On Wed, Apr 25, 2007 at 09:18:05AM -0600, Henry Hertz Hobbit wrote: > Your last paragraph is true but only partially complete. It is easy > to slip that USB pen drive into your pockets or put it some place > else like that to keep it safe. But a lap-top isn't easily stuffed > into pockets. In addition to losing (and it is easier to lose the > USB pen drive than it is to lose a lap-top) which ever, the other > half of the original statement is what you had was stolen. Thieves > usually don't steal USB pen drives; there is almost no market for > stolen USB pen drives. Lap-tops are one of the most stolen items > out there; there is a BIG market for stolen lap-tops. If your > lap-top gets stolen but you have the USB pen drive, you still have > your keys, safe and sound.
This is mixing the threat to a laptop with the threat to a USB drive. The main threat to a laptop in this view is being stolen. The main threat to a USB drive is being lost or forgotten, not stolen. Given that a 1GB USB drive goes for around $10 US around here, I'd be fairly surprised to see someone bothering to steal a USB drive. The risk is higher than the reward unless they're really stealing the data on the drive which could be worth more than $10 US. I'd wager for every stolen laptop there are tens of USB drives left behind. I base this on the startling number of USB drives attached to keychains that I see left behind in stores and restaurants. > Keeping your keys on a USB pen drive has the additional benefit that > you can use them on multiple machines without having multiple copies > of the keys and the problems inherent with keeping the multiple copies > of your keys in sync. So as long as you make backups of your keys > (and put the backup in a safety deposit box) and keep the working > copy on the USB pen drive, the likelihood of you losing control of > your keys is probably lower. This is a commonly cited reason for storing keys on a USB drive. Some people even keep a GPG binary on the USB drive along with their keys so they can use GPG in Internet cafes and the like. This is a very foolish thing to do. A USB drive is not a smartcard. Using your key from a USB drive on a machine not under your control means the person who does control that machine can make a copy of your key and passphrase. After all, from the perspective of the computer, there is nothing magic about a USB drive: it's just a disk that fits in a pocket. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
