“UbuntuHelp:GPGKeyOnUSBDrive”的版本间的差异
来自Ubuntu中文
小 (New page: {{From|https://help.ubuntu.com/community/GPGKeyOnUSBDrive}} {{Languages|php5}} == Storing GPG Keys on an Encrypted USB Flash Drive == It is often desirable to be able to use a GPG key on ...) |
小 |
||
| 第19行: | 第19行: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install cryptsetup | sudo apt-get install cryptsetup | ||
| − | </nowiki></ | + | </nowiki></pre> |
This will also pull in some other necessary dependencies. | This will also pull in some other necessary dependencies. | ||
| 第35行: | 第35行: | ||
<pre><nowiki> | <pre><nowiki> | ||
dd if=/dev/zero of=/media/usbdisk/disk.img bs=1M count=16 | dd if=/dev/zero of=/media/usbdisk/disk.img bs=1M count=16 | ||
| − | </nowiki></ | + | </nowiki></pre> |
The above command will make a 16 MB file containing only zeros. Modify the <code><nowiki>count</nowiki></code> option to get your desired encrypted filesystem size. | The above command will make a 16 MB file containing only zeros. Modify the <code><nowiki>count</nowiki></code> option to get your desired encrypted filesystem size. | ||
| 第50行: | 第50行: | ||
sudo losetup $loopdev /media/usbdisk/disk.img | sudo losetup $loopdev /media/usbdisk/disk.img | ||
sudo cryptsetup -c aes -s 256 -h sha256 -y create usbkey $loopdev | sudo cryptsetup -c aes -s 256 -h sha256 -y create usbkey $loopdev | ||
| − | </nowiki></ | + | </nowiki></pre> |
This will set up the file with 256-bit AES encryption, hashing the passphrase you issue through SHA-256. | This will set up the file with 256-bit AES encryption, hashing the passphrase you issue through SHA-256. | ||
| 第59行: | 第59行: | ||
sudo cryptsetup remove usbkey | sudo cryptsetup remove usbkey | ||
sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev | sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev | ||
| − | </nowiki></ | + | </nowiki></pre> |
If all goes well, we're ready for the next step! | If all goes well, we're ready for the next step! | ||
| 第69行: | 第69行: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkfs.ext3 /dev/mapper/usbkey | sudo mkfs.ext3 /dev/mapper/usbkey | ||
| − | </nowiki></ | + | </nowiki></pre> |
Now, try mounting the filesystem: | Now, try mounting the filesystem: | ||
| 第76行: | 第76行: | ||
sudo mkdir -p /mnt/encrypted | sudo mkdir -p /mnt/encrypted | ||
sudo mount -t ext3 /dev/mapper/usbkey /mnt/encrypted | sudo mount -t ext3 /dev/mapper/usbkey /mnt/encrypted | ||
| − | </nowiki></ | + | </nowiki></pre> |
=== Setting up GnuPG on the Encrypted Filesystem === | === Setting up GnuPG on the Encrypted Filesystem === | ||
| 第87行: | 第87行: | ||
chmod 0700 /mnt/encrypted/.gnupg | chmod 0700 /mnt/encrypted/.gnupg | ||
ln -s /mnt/encrypted/.gnupg ~/.gnupg | ln -s /mnt/encrypted/.gnupg ~/.gnupg | ||
| − | </nowiki></ | + | </nowiki></pre> |
Now, create a GnuPG key as described in [[UbuntuHelp:GPGKey]] or, if you already have a key, move the files in your old <code><nowiki>.gnupg</nowiki></code> directory into the new one, possibly using <code><nowiki>shred</nowiki></code> or <code><nowiki>wipe</nowiki></code> to securely remove the old files. | Now, create a GnuPG key as described in [[UbuntuHelp:GPGKey]] or, if you already have a key, move the files in your old <code><nowiki>.gnupg</nowiki></code> directory into the new one, possibly using <code><nowiki>shred</nowiki></code> or <code><nowiki>wipe</nowiki></code> to securely remove the old files. | ||
| 第101行: | 第101行: | ||
sudo cryptsetup remove usbkey | sudo cryptsetup remove usbkey | ||
sudo losetup -d $loopdev | sudo losetup -d $loopdev | ||
| − | </nowiki></ | + | </nowiki></pre> |
Now, save the following as <code><nowiki>mount.sh</nowiki></code> in the root of your USB drive (not in the encrypted filesystem!): | Now, save the following as <code><nowiki>mount.sh</nowiki></code> in the root of your USB drive (not in the encrypted filesystem!): | ||
| 第115行: | 第115行: | ||
<pre><nowiki> | <pre><nowiki> | ||
sh /media/usbdisk/mount.sh | sh /media/usbdisk/mount.sh | ||
| − | </nowiki></ | + | </nowiki></pre> |
and all the work will be done for you! (Of course, you will need the encryption password, and you may be asked for a password for <code><nowiki>sudo</nowiki></code>.) | and all the work will be done for you! (Of course, you will need the encryption password, and you may be asked for a password for <code><nowiki>sudo</nowiki></code>.) | ||
| 第127行: | 第127行: | ||
sh /media/usbdisk/umount.sh | sh /media/usbdisk/umount.sh | ||
sudo mv /tmp/{pubring,trustdb}.gpg /mnt/encrypted/.gnupg | sudo mv /tmp/{pubring,trustdb}.gpg /mnt/encrypted/.gnupg | ||
| − | </nowiki></ | + | </nowiki></pre> |
Now, when the encrypted filesystem is not mounted, you will see those files in your <code><nowiki>.gnupg</nowiki></code> directory, so that <code><nowiki>gpg --verify</nowiki></code> will work. But when it is mounted, you will see the files that are actually in the encrypted filesystem. | Now, when the encrypted filesystem is not mounted, you will see those files in your <code><nowiki>.gnupg</nowiki></code> directory, so that <code><nowiki>gpg --verify</nowiki></code> will work. But when it is mounted, you will see the files that are actually in the encrypted filesystem. | ||
2007年5月13日 (日) 12:44的版本
目录
Storing GPG Keys on an Encrypted USB Flash Drive
It is often desirable to be able to use a GPG key on more than one computer, for instance at home and at work, or on a desktop and a laptop. Unfortunately, storing encryption keys where you don't have physical control is generally a bad idea. Even storing keys on a laptop can be troublesome--if the laptop gets stolen, so does your GPG key. Luckily, you can probably revoke the key before anybody is able to decrypt it, but that's a hassle. What if you could securely store the key on a device that you always have on your person?
attachment:IconsPage/IconWarning3.png IMPORTANT: Make sure you make a backup copy of your ~/.gnupg directory before you do this. The last thing you want to happen is to lose your keyring because something went wrong.
dm-crypt
From the dm-crypt website: " Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 and EVMS 2.x tools. dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. The user can basically specify one of the symmetric ciphers, a key (of any allowed size), an iv generation mode and then he can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you can't access your data."
This is perfect for our needs. We will create an encrypted filesystem inside of a regular file on the USB flash drive, where we will store sensitive data like GnuPG keys.
Installing the Software
First, you will need to install cryptsetup:
sudo apt-get install cryptsetup
This will also pull in some other necessary dependencies.
Setting Up the Encrypted Filesystem
I store my GPG keys on a cheap, tiny USB flash drive that fits comfortably on my keyring. When I plug it in, it is automatically mounted as /media/usbdisk. The following sections will assume a similar setup.
I decided to make my encrypted filesystem live in a regular file rather than its own partition. This requires less tweaking of the disk, and makes mounting and unmounting the encrypted filesystem easier, as you will see later. However, many of the steps in this tutorial can be adapted to use a real partition instead of a regular file.
Creating the File
Before we can make a filesystem, we need a file that is large enough to hold it. This can be accomplished with dd:
dd if=/dev/zero of=/media/usbdisk/disk.img bs=1M count=16
The above command will make a 16 MB file containing only zeros. Modify the count option to get your desired encrypted filesystem size.
Setting up the Encrypted Loop Device
Before we can actually create the filesystem on our new file, we need to attach it to a loop device and set up a device-mapper target with encryption. losetup -f will find the first free loop device, so we will set its output to a variable called loopdev and use it for several commands:
sudo modprobe loop sudo modprobe dm-crypt sudo modprobe aes export loopdev=$(sudo losetup -f) sudo losetup $loopdev /media/usbdisk/disk.img sudo cryptsetup -c aes -s 256 -h sha256 -y create usbkey $loopdev
This will set up the file with 256-bit AES encryption, hashing the passphrase you issue through SHA-256.
After it's set up, it's a good idea to remove the usbkey device-mapper device and re-run cryptsetup to make sure that you didn't mistype the initial password (I say this from experience...):
sudo cryptsetup remove usbkey sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev
If all goes well, we're ready for the next step!
Creating the Actual Filesystem
This is the easiest step of all. I chose the ext3 filesystem for its journaling capability, just in case the USB drive gets removed before the filesystem is unmounted. The cryptsetup command above created the device /dev/mapper/usbkey, which is a map through dm-crypt to the encrypted filesystem. So, this device appears to the system as a regular old block device, like a hard disk or partition. The following command will create an ext3 filesystem on the encrypted file:
sudo mkfs.ext3 /dev/mapper/usbkey
Now, try mounting the filesystem:
sudo mkdir -p /mnt/encrypted sudo mount -t ext3 /dev/mapper/usbkey /mnt/encrypted
Setting up GnuPG on the Encrypted Filesystem
Now, make a .gnupg directory in /mnt/encrypted, make it owned by your user, and link it to your own ~/.gnupg (if you already have a .gnupg directory, move it out of the way first):
sudo mkdir /mnt/encrypted/.gnupg sudo chown $UID.$UID /mnt/encrypted/.gnupg chmod 0700 /mnt/encrypted/.gnupg ln -s /mnt/encrypted/.gnupg ~/.gnupg
Now, create a GnuPG key as described in UbuntuHelp:GPGKey or, if you already have a key, move the files in your old .gnupg directory into the new one, possibly using shred or wipe to securely remove the old files.
Making Things Easier
Simplifying the Mount Process
It's not really fun to type three or four commands each time you want to mount your encrypted filesystem. So, I wrote two really simple scripts for mounting and unmounting. Before using these, you should unmount your filesystem and detach the loop device:
sudo umount /mnt/encrypted sudo cryptsetup remove usbkey sudo losetup -d $loopdev
Now, save the following as mount.sh in the root of your USB drive (not in the encrypted filesystem!):
inline:mount.sh
Then, save the following as umount.sh in the same place:
inline:umount.sh
You may not be able to execute these scripts directly, since the default auto-mounting options prohibit running executables. But, since they are shell scripts, you can simply pass them on to sh. So, once the USB drive has been mounted, you can simply type
sh /media/usbdisk/mount.sh
and all the work will be done for you! (Of course, you will need the encryption password, and you may be asked for a password for sudo.)
Verifying PGP Signatures Without the Encrypted Filesystem
You might want to be able to verify a signed message without needing to mount the encrypted filesystem. To facilitate this, simply copy the public keyring and the trust database file to the "real" .gnupg directory:
cp /mnt/encrypted/.gnupg/{pubring,trustdb}.gpg /tmp
sh /media/usbdisk/umount.sh
sudo mv /tmp/{pubring,trustdb}.gpg /mnt/encrypted/.gnupg
Now, when the encrypted filesystem is not mounted, you will see those files in your .gnupg directory, so that gpg --verify will work. But when it is mounted, you will see the files that are actually in the encrypted filesystem.
CategorySecurity
