Generating and storeing keys on usb pen
David Shaw
dshaw at jabberwocky.com
Wed Apr 25 17:56:09 CEST 2007
On Wed, Apr 25, 2007 at 09:18:05AM -0600, Henry Hertz Hobbit wrote:
> Your last paragraph is true but only partially complete. It is easy
> to slip that USB pen drive into your pockets or put it some place
> else like that to keep it safe. But a lap-top isn't easily stuffed
> into pockets. In addition to losing (and it is easier to lose the
> USB pen drive than it is to lose a lap-top) which ever, the other
> half of the original statement is what you had was stolen. Thieves
> usually don't steal USB pen drives; there is almost no market for
> stolen USB pen drives. Lap-tops are one of the most stolen items
> out there; there is a BIG market for stolen lap-tops. If your
> lap-top gets stolen but you have the USB pen drive, you still have
> your keys, safe and sound.
This is mixing the threat to a laptop with the threat to a USB drive.
The main threat to a laptop in this view is being stolen. The main
threat to a USB drive is being lost or forgotten, not stolen. Given
that a 1GB USB drive goes for around $10 US around here, I'd be fairly
surprised to see someone bothering to steal a USB drive. The risk is
higher than the reward unless they're really stealing the data on the
drive which could be worth more than $10 US.
I'd wager for every stolen laptop there are tens of USB drives left
behind. I base this on the startling number of USB drives attached to
keychains that I see left behind in stores and restaurants.
> Keeping your keys on a USB pen drive has the additional benefit that
> you can use them on multiple machines without having multiple copies
> of the keys and the problems inherent with keeping the multiple copies
> of your keys in sync. So as long as you make backups of your keys
> (and put the backup in a safety deposit box) and keep the working
> copy on the USB pen drive, the likelihood of you losing control of
> your keys is probably lower.
This is a commonly cited reason for storing keys on a USB drive. Some
people even keep a GPG binary on the USB drive along with their keys
so they can use GPG in Internet cafes and the like. This is a very
foolish thing to do. A USB drive is not a smartcard. Using your key
from a USB drive on a machine not under your control means the person
who does control that machine can make a copy of your key and
passphrase. After all, from the perspective of the computer, there is
nothing magic about a USB drive: it's just a disk that fits in a
pocket.
David
More information about the Gnupg-users
mailing list