Generating and storeing keys on usb pen

David Shaw dshaw at
Wed Apr 25 17:56:09 CEST 2007

On Wed, Apr 25, 2007 at 09:18:05AM -0600, Henry Hertz Hobbit wrote:

> Your last paragraph is true but only partially complete. It is easy
> to slip that USB pen drive into your pockets or put it some place
> else like that to keep it safe. But a lap-top isn't easily stuffed
> into pockets. In addition to losing (and it is easier to lose the
> USB pen drive than it is to lose a lap-top) which ever, the other
> half of the original statement is what you had was stolen. Thieves
> usually don't steal USB pen drives; there is almost no market for
> stolen USB pen drives. Lap-tops are one of the most stolen items
> out there; there is a BIG market for stolen lap-tops.  If your
> lap-top gets stolen but you have the USB pen drive, you still have
> your keys, safe and sound.

This is mixing the threat to a laptop with the threat to a USB drive.
The main threat to a laptop in this view is being stolen.  The main
threat to a USB drive is being lost or forgotten, not stolen.  Given
that a 1GB USB drive goes for around $10 US around here, I'd be fairly
surprised to see someone bothering to steal a USB drive.  The risk is
higher than the reward unless they're really stealing the data on the
drive which could be worth more than $10 US.

I'd wager for every stolen laptop there are tens of USB drives left
behind.  I base this on the startling number of USB drives attached to
keychains that I see left behind in stores and restaurants.

> Keeping your keys on a USB pen drive has the additional benefit that
> you can use them on multiple machines without having multiple copies
> of the keys and the problems inherent with keeping the multiple copies
> of your keys in sync. So as long as you make backups of your keys
> (and put the backup in a safety deposit box) and keep the working
> copy on the USB pen drive, the likelihood of you losing control of
> your keys is probably lower.

This is a commonly cited reason for storing keys on a USB drive.  Some
people even keep a GPG binary on the USB drive along with their keys
so they can use GPG in Internet cafes and the like.  This is a very
foolish thing to do.  A USB drive is not a smartcard.  Using your key
from a USB drive on a machine not under your control means the person
who does control that machine can make a copy of your key and
passphrase.  After all, from the perspective of the computer, there is
nothing magic about a USB drive: it's just a disk that fits in a


More information about the Gnupg-users mailing list