From jw72253 at verizon.net  Mon Oct 17 20:57:05 2011
From: jw72253 at verizon.net (John A. Wallace)
Date: Mon, 17 Oct 2011 13:57:05 -0500
Subject: gnupg on USB drive
Message-ID: <000601cc8cfe$903f6f80$b0be4e80$@net>

I have looked at the instructions here
http://lists.gnupg.org/pipermail/gnupg-users/2008-March/032787.html for
installing GnuPG on a USB drive, and I have followed the instructions pretty
closely like so:

 

"if you . need to work from a public computer, and a usb, here are some
guidelines:

 

[1] generate a new gnupg key, with a comment, 'usb key',

and keep this in a separate keyring (not the the keyring with your 

'real' secret keys)

 

if you have any concern that this becomes compromised,

you can revoke it, without compromising your 'real' keys

 

[2] keep the keyrings and the entire gnupg program in a truecrypt 

container on the usb. This has two advantages:

(a) it protects your keyrings

(b) it allows you to pick a drive letter that will stay the same 

regardless of the hardware differences of the various public 

computers (i.e., you can mount the truecrypt container as drive Z,

and have all the entries in your gpg.conf refer to z:\gnupg,

and never have to change it). truecrypt can be run in traveller mode from a
usb, 

without having it installed on the host computer

 

[3]copy the entire gnupg directory from your home computer,

into the truecrypt container

 

[4] put these lines into your gpg.conf file:

no-default-keyring

keyring z:\gnupg\pubring.gpg

secret-keyring z:\gnupg\secring.gpg

(use your 'new' keyrings with the special 'usb key')

 

[5] open notepad and types these lines:

command com

z:

cd gnupg

 

save this as gusb.bat in your truecrypt container. 

whenever you want to run gnupg from the usb,

(and have already mounted the truecrypt container as drive z:)

double-clicking on gusb.bat

opens a dos command-line window

 

check it by typing gpg -h

if the gnupg version and guide appears, then you're ready"

----------------------------------

 

First I tried following these instructions exactly, but it would not work,

though not for reasons related to gpg itself. I am running WinXP Pro and
normally

I use gpg 2.0.x.  However, for this project, I downloaded and used gpg
1.4.11

on the USB drive, and I also used the latest version of truecrypt 7.1.

 

I installed gpg on the usb here U:\gnupg, and into it I also copied the
contents of

my pre-existing "%AppData%\gnupg" folder, which contained my keyrings and
gpg.conf, etc.

  I cleaned it up a bit and changed the references in gpg.conf from c:\path
to u:\gnupg,

like so:

 

###+++--- GPGConf ---+++###

utf8-strings

auto-key-locate local

verbose

###+++--- GPGConf ---+++### date and time data

# GPGConf edited this configuration file.

# It will disable options before this marked block, but it will

# never change anything below these lines.

no-default-keyring

homedir U:\gnupg

keyring U:\gnupg\pubring.gpg

secret-keyring U:\gnupg\secring.gpg

#list-options show-keyring

verify-options show-uid-validity

logger-file U:\gnupg\gnupg.log

keyserver hkp://keys.gnupg.net

load-extension U:\gnupg\idea.dll

ask-cert-level

------------------------------------

 

As for the aforementioned batch file qusb.bat, it was necessary to change

it because it would not complete as it stands (I had installed it in U:\).

What I mean is that when I clicked on the batch file, it would open a 

command shell window and begin issuing the batch of commands.  Since the 

first command was "command.com", it just opened another new command shell

window and stayed there at the new command prompt in the current root
directory:

 

U:\

 

I simply eliminated this command from the batch file and reran it; then

It worked as expected, opening a command shell and cd-ing to U:\gnupg.

 

At this point I entered "gpg -h" at the prompt.  It displayed the correct

Version gpg 1.4.11, but it failed to recognize homedir as U:\gnupg as I had

put in the file u:\gpg.conf.  Then I noticed in the manual that this command

would be recognized only from the command line; so I entered this at

the command prompt (from u:\gnupg):

 

gpg --homedir u:\gnupg

 

But after hitting <enter>, the program just hangs and fails to return

to the command prompt.  Consequently, I cannot seem to make it change

the homedir from the normal location on "%Appdata%\gnupg"

to the location U:\gnupg, and I cannot, therefore, "force" it to use 

the keyrings on my USB.  Any ideas would be welcome.

 

 

John A. Wallace

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20111017/42a6c13e/attachment-0001.htm>

From wk at gnupg.org  Tue Oct 18 15:39:33 2011
From: wk at gnupg.org (Werner Koch)
Date: Tue, 18 Oct 2011 15:39:33 +0200
Subject: gnupg on USB drive
In-Reply-To: <000601cc8cfe$903f6f80$b0be4e80$@net> (John A. Wallace's message
	of "Mon, 17 Oct 2011 13:57:05 -0500")
References: <000601cc8cfe$903f6f80$b0be4e80$@net>
Message-ID: <87ty761kru.fsf@vigenere.g10code.de>

On Mon, 17 Oct 2011 20:57, jw72253 at verizon.net said:

> gpg --homedir u:\gnupg
>
>  
>
> But after hitting <enter>, the program just hangs and fails to return
>
> to the command prompt.  Consequently, I cannot seem to make it change

It is waiting for input.  You better add a file name and a command
option;  e.g.

  gpg --homedir u:\gnupg -er 0x12345678 file.txt

which encrypts file.txt to file.txt.gpg using the key with id 0x12345678.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From jw72253 at verizon.net  Wed Oct 19 08:19:22 2011
From: jw72253 at verizon.net (John A. Wallace)
Date: Wed, 19 Oct 2011 01:19:22 -0500
Subject: gnupg on USB drive
In-Reply-To: <87ty761kru.fsf@vigenere.g10code.de>
References: <000601cc8cfe$903f6f80$b0be4e80$@net>
	<87ty761kru.fsf@vigenere.g10code.de>
Message-ID: <000001cc8e27$0b05f3f0$2111dbd0$@net>

Yes, your suggestion works nicely.  Initially, while setting it up or
testing, if a user has the USB plugged in to his own computer, there is a
possibility of utilizing the wrong set of keys and configuration settings as
a result of the environment variables or registry settings.  Is this case, I
would suggest users add this to the batch file or use it right afterwards to
confirm that the right homedir is used:

gpg --homedir u:\gnupg --version
gpg --homedir u:\gnupg --list-keys

This way they can visually see that the right set of keys will be used with
the options they have configured in u:\gnupg\gpg.conf, and not in their
regular homedir.  I also use "--interactive" mode initially.  Thanks, again.

John Wallace


-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: Tuesday, October 18, 2011 8:40 AM
To: John A. Wallace
Cc: gnupg-doc at gnupg.org
Subject: Re: gnupg on USB drive

On Mon, 17 Oct 2011 20:57, jw72253 at verizon.net said:

> gpg --homedir u:\gnupg
>
>  
>
> But after hitting <enter>, the program just hangs and fails to return
>
> to the command prompt.  Consequently, I cannot seem to make it change

It is waiting for input.  You better add a file name and a command
option;  e.g.

  gpg --homedir u:\gnupg -er 0x12345678 file.txt

which encrypts file.txt to file.txt.gpg using the key with id 0x12345678.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Wed Oct 19 10:00:08 2011
From: wk at gnupg.org (Werner Koch)
Date: Wed, 19 Oct 2011 10:00:08 +0200
Subject: gnupg on USB drive
In-Reply-To: <000001cc8e27$0b05f3f0$2111dbd0$@net> (John A. Wallace's message
	of "Wed, 19 Oct 2011 01:19:22 -0500")
References: <000601cc8cfe$903f6f80$b0be4e80$@net>
	<87ty761kru.fsf@vigenere.g10code.de>
	<000001cc8e27$0b05f3f0$2111dbd0$@net>
Message-ID: <87y5whxvg7.fsf@vigenere.g10code.de>

On Wed, 19 Oct 2011 08:19, jw72253 at verizon.net said:

> gpg --homedir u:\gnupg --version
> gpg --homedir u:\gnupg --list-keys

Note that there is also an environment variable GNUPGHOME which might be
more convenient than always repeating the --homedir option.

  set GNUPGHOME=u:\gnupg
  gpg --versions
  gpg --list-keys

gives the same results as above.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From jw72253 at verizon.net  Wed Oct 19 19:00:33 2011
From: jw72253 at verizon.net (John A. Wallace)
Date: Wed, 19 Oct 2011 12:00:33 -0500
Subject: gnupg on USB drive
In-Reply-To: <87y5whxvg7.fsf@vigenere.g10code.de>
References: <000601cc8cfe$903f6f80$b0be4e80$@net>
	<87ty761kru.fsf@vigenere.g10code.de>	<000001cc8e27$0b05f3f0$2111dbd0$@net>
	<87y5whxvg7.fsf@vigenere.g10code.de>
Message-ID: <000c01cc8e80$9d892270$d89b6750$@net>

That is much better for sure.  Saves time and reduces chances for error.  I
would add that to the batch file, and I especially like that it is a
temporary setting.  

John Wallace


-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: Wednesday, October 19, 2011 3:00 AM
To: John A. Wallace
Cc: gnupg-doc at gnupg.org
Subject: Re: gnupg on USB drive

On Wed, 19 Oct 2011 08:19, jw72253 at verizon.net said:

> gpg --homedir u:\gnupg --version
> gpg --homedir u:\gnupg --list-keys

Note that there is also an environment variable GNUPGHOME which might be
more convenient than always repeating the --homedir option.

  set GNUPGHOME=u:\gnupg
  gpg --versions
  gpg --list-keys

gives the same results as above.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.