GnuPG (win32) on a USB stick
vedaal at hush.com
vedaal at hush.com
Mon Mar 3 17:11:46 CET 2008
nunzky (funkdude at gmail.com)
wrote on Mon Mar 3 02:57:20 CET 2008 :
>Is it possible to avoid this behavior
>and have GnuPG write those files, say,
>in its own dir on my usb stick?
...
>this would probably have to involve
>me keeping my private key on the usb stick,
>protected only by a passphrase.
>How secure is this?
>Are there any better ways to do it?
in general,
the simplest, most secure way,
is to keep gnupg on your laptop,
and use the usb to transfer files from the public computer
to your laptop and back again
encrypting and decrypting while directly connected to a public
computer,
runs a very real risk of having the plaintext stored in some
recoverable form on that computer
(i would recommend a Toshiba Libretto,
that you can literally have physical control over,
at all times)
http://www.pcmag.com/article2/0,2817,1788012,00.asp
if you don't have a laptop,
and need to work from a public computer, and a usb,
here are some guidelines:
[1] generate a new gnupg key, with a comment, 'usb key',
and keep this in a separate keyring (not the the keyring with your
'real' secret keys)
if you have any concern that this becomes compromised,
you can revoke it, without compromising your 'real' keys
(this is also a common courtesy to people who send encrypted mail
to you
they are entrusting their secret/personal correspondence to you,
and need to know how much they can 'trust' you
'trust' is this context,
refers to 'skill and judgment',
not 'integrity'
[ you can 'trust' someone with your life and money,
but not to drive your BMW,
if you don't think they have enough experience with a stickshift ] )
[2] keep the keyrings and the entire gnupg program in a truecrypt
container on the usb
this has two advantages:
(a) it protects your keyrings
(b) it allows you to pick a drive letter that will stay the same
regardless of the hardware differences of the various public
computers
(i.e., you can mount the truecrypt container as drive Z,
and have all the entries in your gpg.conf refer to z:\gnupg,
and never have to change it)
truecrypt can be run in traveller mode from a usb,
without having it installed on the host computer
[3]copy the entire gnupg directory from your home computer,
into the truecrypt container
[4] put these lines into your gpg.conf file:
no-default-keyring
keyring z:\gnupg\pubring.gpg
secret-keyring z:\gnupg\secring.gpg
(use your 'new' keyrings with the special 'usb key')
[5] open notepad and types these lines:
command com
z:
cd gnupg
save this as gusb.bat in your truecrypt container
whenever you want to run gnupg from the usb,
(and have already mounted the truecrypt container as drive z:)
double-clicking on gusb.bat
opens a dos commandline window
check it by typing gpg -h
if the gnupg version and guide appears, then you're ready
[6] minor recommendation,
(i don't know how much it would help)
get (free) editpad lite:
http://www.editpadpro.com/editpadlite.html
it can be run from the usb by just copying the file EditPadLite.exe
you can compose any correspondence from editpadlite, without using
any of the host computers software (e.g. word, wordpad, notepad,
etc.),
and there 'might' be less chance of the plaintext being saved on
the host computer by some file journaling system)
vedaal
any ads or links below this message are added by hushmail without
my endorsement or awareness of the nature of the link
--
Click here for free information on how to reduce your debt by filing for bankruptcy.
http://tagline.hushmail.com/fc/Ioyw6h4elLy0MGS8ZpnSGLSkChVTeOgJgP9vCEPIVuo6a1yK8Ibamr/
More information about the Gnupg-users
mailing list