On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote: > I read once here on the Mailing List that one should only use > trusted USB devices, whatever that means, when using an USB > device.
If you must use USB devices for some reason, take a look at the <https://www.kanguru.com/storage-accessories/kanguru-flashtrust-secure-firmware.shtml> flash drive. It's designed specifically to protect against "badUSB", where the controller and firmware can be compromised. The controller has the developer's public key baked in during manufacture. The firmware is signed and can only be loaded once (no provision is made for in-the-field firmware updates). The controller verifies the firmware and its signature at every power-on. If a malicious actor had physical access and re-flashed the firmware, the controller would notice and fail to load. It also has a physical write-protect switch that can prevent unwanted writes. It's a plain flash drive and doesn't have built-in encryption (though the company sells those too) but it should have a higher assurance of not being compromised or compromisable at the hardware level than a typical off-the-shelf USB device. I use it with my offline Raspberry Pi 2 that I use for private key operations for my primary keys (as opposed to subkeys, which are on smartcards). The Pi 2 uses LUKS for encrypting the microSD card it uses for storage and is never connected to the network. It's more than adequate in terms of performance and is cheap enough that I have a bunch lying around the house anyway. ;) Cheers! -Pete -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
