GnuPG (win32) on a USB stick

vedaal at vedaal at
Mon Mar 3 17:11:46 CET 2008

nunzky (funkdude at
wrote on Mon Mar 3 02:57:20 CET 2008 :

>Is it possible to avoid this behavior 
>and have GnuPG write those files, say, 
>in its own dir on my usb stick?
>this would probably have to involve 
>me keeping my private key on the usb stick, 
>protected only by a passphrase. 
>How secure is this? 
>Are there any better ways to do it?

in general,
the simplest, most secure way,
is to keep gnupg on your laptop,
and use the usb to transfer files from the public computer
to your laptop and back again

encrypting and decrypting while directly connected to a public 
runs a very real risk of having the plaintext stored in some 
recoverable form on that computer

(i would recommend a Toshiba Libretto,
that you can literally have physical control over,
at all times),2817,1788012,00.asp

if you don't have a laptop,
and need to work from a public computer, and a usb,
here are some guidelines:

[1] generate a new gnupg key, with a comment, 'usb key',
and keep this in a separate keyring (not the the keyring with your 
'real' secret keys)

if you have any concern that this becomes compromised,
you can revoke it, without compromising your 'real' keys

(this is also a common courtesy to people who send encrypted mail 
to you

they are entrusting their secret/personal correspondence to you, 
and need to know how much they can 'trust' you

'trust' is this context,
refers to 'skill and judgment', 
not 'integrity'
[ you can 'trust' someone with your life and money,
but not to drive your BMW, 
if you don't think they have enough experience with a stickshift ] )

[2] keep the keyrings and the entire gnupg program in a truecrypt 
container on the usb
this has two advantages:
(a) it protects your keyrings
(b) it allows you to pick a drive letter that will stay the same 
regardless of the hardware differences of the various public 

(i.e., you can mount the truecrypt container as drive Z,
and have all the entries in your gpg.conf refer to z:\gnupg,
and never have to change it)
truecrypt can be run in traveller mode from a usb, 
without having it installed on the host computer

[3]copy the entire gnupg directory from your home computer,
into the truecrypt container

[4] put these lines into your gpg.conf file:
keyring z:\gnupg\pubring.gpg
secret-keyring z:\gnupg\secring.gpg
(use your 'new' keyrings with the special 'usb key')

[5] open notepad and types these lines:
command com
cd gnupg

save this as gusb.bat in your truecrypt container

whenever you want to run gnupg from the usb,
(and have already mounted the truecrypt container as drive z:)
double-clicking on gusb.bat
opens a dos commandline window

check it by typing gpg -h
if the gnupg version and guide appears, then you're ready

[6] minor recommendation,
(i don't know how much it would help)

get (free) editpad lite:

it can be run from the usb by just copying the file EditPadLite.exe

you can compose any correspondence from editpadlite, without using 
any of the host computers software (e.g. word, wordpad, notepad, 
and there 'might' be less chance of the plaintext being saved on 
the host computer by some file journaling system)


any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

Click here for free information on how to reduce your debt by filing for bankruptcy.

More information about the Gnupg-users mailing list