OT: USB key with hardware encryption?

vedaal at nym.hush.com vedaal at nym.hush.com
Mon Dec 3 17:05:44 CET 2012

On Sunday, December 02, 2012 at 3:16 PM, "Richard Höchenberger" <richard.hoechenberger at gmail.com> wrote:

>I was wondering whether there are USB flash memory devices 
>available that support some kind of hardware encryption, i.e. maybe some USB 
>key with a keypad, which only exposes a (transparently) decrypted 
>filesystem to the host computer.
>I am using Linux, OS X, and Windows.
>Do you have any thoughts and recommendations on this issue?


have never used any hardware encrypted USB, but here is a workaround you might find helpful:

[1] Instead of encrypting the entire USB, put several truecrypt voulmes on the USB, and leave a good amount of empty space on the USB , (e.g. 4 gig) , that you don't use for anything but the files you want to print or scan.

[2] Burn a dvd of *UPR with TAILS*. (Ubuntu Privacy Remix with The Amnesic Incognito Live System)
(It's available directly as an burn-ready iso image.)

This uses a modified bootable run-from-dvd version of Unbuntu 10.x  (UPR calls it 'Locked Lynx' ), which has Truecrypt and GnuPG 1.4.10 installed on it. It also has a front end for gnupg.  Upon booting, it can mount whatever truecrypt files you want, and write/encrypt/decrypt directly into the truecrypt volume, or do any gnupg operations on any file on the USB itself. It has a 'wipe original' option, but am not sure what kind of 'wiping' is involved, but if your threat model is only some random person who may find the USB you lost in a public place, it might be sufficient for you.

[3] Boot from the dvd, mount the truecrypt file that has whatever you want to print, and copy it to the empty space in the USB

[4] Reboot from your work computer and print the files you want, and scan whatever you want into the empty space on the USB.

[5] Reboot from the dvd, mount the truecypt volume and copy everything back into the truecrypt volume.

[5] Encrypt and Wipe the files left on the empty space on the USB, (encrypting into the truecrypt volume, and wiping the files on the non-truecrypt space on the USB), dismount the truecrypt volume and shut down.


Some quirks on the UPR-TAILS system:

[1] The gnupg front end does not have a conventional encryption option, so it needs a key to encrypt to. 
(You can import your own, but it's simpler and safer to just let the front end generate one for you, since you are mainly interested in the 'wipe original' option. You don't need to save the key, and it's simple enough to generate one key each time you need to use the system.)

[2] The front-end keeps the passphrase for the key in memory for the entire time the system is booted.
(I haven't found any way to set a time for it or turn it off). 
Working from the commandline 1.4.10 doesn't keep the passphrase in memory, and works pretty much as expected, 
but doesn't have the 'wipe' option.

[3] The size of the UPR-TAILS system is 'just a little bit bigger' than a pocket size mini-dvd, and needs to be burned to a full-size dvd.

[4] The truecrypt volume doesn't dismount from the ordinary truecrypt window, but needs to be right-clicked on in the ubuntu file browser, and dismounted from the truecrypt option in the right-click drop down menu.



More information about the Gnupg-users mailing list