Lexar Secure Jumpdrives

Jason Clinton me at jasonclinton.com
Tue Dec 14 10:55:43 CST 2004 

On Monday 13 December 2004 10:53, Brian Densmore wrote:
> My question, would it be possible to reformat the stick with
> an encrypted Linux fs and is so how would I be able to access it
> from Windows and Macs? Also, by securing half the card, will I
> still be able to use the whole stick in Linux? Another question,
> the stick has an autorun script for Windows, if I were to wipe the
> Windows software off of the stick would Windows still autodetect the
> stick and mount it? Or is it only autodetecting because of the autorun.
> I have a W2K desktop.

Well, I put all the questions here together because my suggestion encompasses 
all of them. The Lexar encryption hardware is not compatible with Linux; it's 
done in hardware and, IIRC, it's extremely simple (easy to crack) but no 
device driver exists. Rather than worry about having enough size on either 
the encrypted partition or the non-encrypted partition, I suggest that you 
partition and format the whole thing in VFAT32 and place a copy of gnupg on 
the device. There's a number of ways that you can do it but here's one 
scenario that can vary in size and is compatible with Windows unlike the 
loopback file system method:

On your linux systems, you have a /usr/local/bin/mount script that you 
manually invoke that mounts the /dev/sd? device to /mnt/cf0. It then looks 
for /mnt/cf0/encrypted_archive.tar.gz and executes gnupg with your private 
key from your home directory and decompresses the archive to some place 
in /tmp or /home/~. You have another /usr/local/bin/umount script that 
reverses all of those steps: wrap up the changes in the directory, encrypt 
_against_your_public key_ on the device, unmount. 

On your Windows systems, the exact same process takes place but it's all 
automatic via the autorun.inf file using MING32 compiled gnupg.exe, tar.exe 
and gzip.exe on the device. If you take your device to another person's 
system, you will need to explore some of the many ways that you can securely 
access your private key from remote locations (perhaps even a seperate, 8MB 
pen drive to store your private key -- they make watches that do that that 
have USB connectors). That way, if you lose the device, the person would need 
both the private key and the password to access the data.

Regarding the existing software on the device, there's no danger in losing any 
of it unless you want the Windows-only, weak encryption to work with Windows.

This all sounds rather complicated but in practice, good encryption is hard 
work and the cross-platform nature makes it even more complicated. Good 
encryption is not yet a commodity.

More information about the Kclug mailing list