[Fwd: Re: Protecting private key on USB flash drive: how to?]

Faramir faramir.cl at gmail.com
Sat May 10 17:42:03 CEST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Florian Philipp escribió:
> On Fri, 2008-05-09 at 08:21 -0400, Faramir wrote:
>
>> Well, I am going to carry gpg in my USB flash drive, either using
>> portable firefox+FireGPG+some way to put gpg on the drive, or portable
>> thunderbird+gpg for portable TB+enigmail. But despite what way I will
...

> In addition to a strong passphrase you could use steganographic
> software. It doesn't encrypt data but hides it, usually in a picture of
> sound file.
...

  Yes, I was thinking hard about the subject, and I remembered
steganography... and in the wikipedia article they have a lot of links
to that kind of software. I chose Digital Invisible Ink Toolkit, since
it is open source, free, built in java, so it should run anywhere. I
already had some portable apps (like portable openoffice.org) in my
flash drive, including jre... so it looks very viable to use that.

> I think I've heard of USB-sticks or external hard disks with integrated
> finger print readers. I don't really trust this kind of hardware but
> it's an additional layer of security.

  I don't trust them too, since I was told it is very likely they can be
hacked... at least, laptops protected by fingerprint readers can be
hacked. So I would rather use a USB flash drive with built in 256 bits
AES... but then, I think it would be the same than just encrypting the
keyring with that encryption system, or making a self extracting gpg
encrypted file... And if I put that file inside a picture (which
supports encryption too...), that probably would be more than enough to
keep the data safe...

  Well, the thing is my keyring is not valuable at all, it has not even
been signed by other people... but since I am studying an IT related
career, I should do things "the right way" (or learn how to do them "the
right way"), before I actually have to use that knowledge...

  Thanks for your advice, since cryptography is based on "the security
is in the key, not in the algorithm" (the info is not hidden, but
protected), and steganography is based on hiding the info, I thought
maybe talking about steganography at gpg list would be some kind of
heresy XD. But if you thought about it too, I feel more confident in it
is a good idea to mix both systems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJIJcJLAAoJEIISGkVDGUEOi2YH/0XlR6ihYREYfJidwlxInHwd
9dSlIIGyVm6zo4LpMFHD8rK87OEMp5tFtyLBydfmNfLfzN1XZeYbVntUNYAMX/3C
R0SqwilVHBlhX20d1I2i5IcYXIse3X/EwGyD0NTGMQMwr5HnjKNxB/CRX1S+ciOa
85tg04Rw1zrjPKZRbca3c97qIh7ix7qFY9dQD3HmWFl1tve2kLTvwx0fx5BaB3Uo
xu/Pz5lzbee4t1hyOgBav2JmXYl+Wgq+Nwbki7bruF/AezfG6+VRK5OEhmYz9qyk
/z5zQNO+wkuy0oPDQVc0TYeYuzoBBFa0BhbynD+0JjfZh0KpTc+HBVVryb39sQ4=
=mx7v
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list