Working with an Online and Offline Computer when using GnuPG - Best Practice?

Pete Stephenson pete at heypete.com
Tue Oct 10 09:26:54 CEST 2017


On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote:
> I read once here on the Mailing List that one should only use
> trusted USB devices, whatever that means, when using an USB
> device.

If you must use USB devices for some reason, take a look at the
<https://www.kanguru.com/storage-accessories/kanguru-flashtrust-secure-firmware.shtml>
flash drive.

It's designed specifically to protect against "badUSB", where the
controller and firmware can be compromised. The controller has the
developer's public key baked in during manufacture. The firmware is
signed and can only be loaded once (no provision is made for
in-the-field firmware updates). The controller verifies the firmware and
its signature at every power-on. If a malicious actor had physical
access and re-flashed the firmware, the controller would notice and fail
to load.

It also has a physical write-protect switch that can prevent unwanted
writes.

It's a plain flash drive and doesn't have built-in encryption (though
the company sells those too) but it should have a higher assurance of
not being compromised or compromisable at the hardware level than a
typical off-the-shelf USB device.

I use it with my offline Raspberry Pi 2 that I use for private key
operations for my primary keys (as opposed to subkeys, which are on
smartcards). The Pi 2 uses LUKS for encrypting the microSD card it uses
for storage and is never connected to the network. It's more than
adequate in terms of performance and is cheap enough that I have a bunch
lying around the house anyway. ;)

Cheers!
-Pete

-- 
Pete Stephenson



More information about the Gnupg-users mailing list