Lexar Secure Jumpdrives
Jason Clinton
me at jasonclinton.com
Tue Dec 14 10:55:43 CST 2004
On Monday 13 December 2004 10:53, Brian Densmore wrote:
> My question, would it be possible to reformat the stick with
> an encrypted Linux fs and is so how would I be able to access it
> from Windows and Macs? Also, by securing half the card, will I
> still be able to use the whole stick in Linux? Another question,
> the stick has an autorun script for Windows, if I were to wipe the
> Windows software off of the stick would Windows still autodetect the
> stick and mount it? Or is it only autodetecting because of the autorun.
> I have a W2K desktop.
Well, I put all the questions here together because my suggestion encompasses
all of them. The Lexar encryption hardware is not compatible with Linux; it's
done in hardware and, IIRC, it's extremely simple (easy to crack) but no
device driver exists. Rather than worry about having enough size on either
the encrypted partition or the non-encrypted partition, I suggest that you
partition and format the whole thing in VFAT32 and place a copy of gnupg on
the device. There's a number of ways that you can do it but here's one
scenario that can vary in size and is compatible with Windows unlike the
loopback file system method:
On your linux systems, you have a /usr/local/bin/mount script that you
manually invoke that mounts the /dev/sd? device to /mnt/cf0. It then looks
for /mnt/cf0/encrypted_archive.tar.gz and executes gnupg with your private
key from your home directory and decompresses the archive to some place
in /tmp or /home/~. You have another /usr/local/bin/umount script that
reverses all of those steps: wrap up the changes in the directory, encrypt
_against_your_public key_ on the device, unmount.
On your Windows systems, the exact same process takes place but it's all
automatic via the autorun.inf file using MING32 compiled gnupg.exe, tar.exe
and gzip.exe on the device. If you take your device to another person's
system, you will need to explore some of the many ways that you can securely
access your private key from remote locations (perhaps even a seperate, 8MB
pen drive to store your private key -- they make watches that do that that
have USB connectors). That way, if you lose the device, the person would need
both the private key and the password to access the data.
Regarding the existing software on the device, there's no danger in losing any
of it unless you want the Windows-only, weak encryption to work with Windows.
This all sounds rather complicated but in practice, good encryption is hard
work and the cross-platform nature makes it even more complicated. Good
encryption is not yet a commodity.
More information about the Kclug
mailing list