3

I am looking for a simple but reasonably safe way to secure my home pc (and laptop, nas, etc.) with a hardware token. I would like the system to be secure, but practical enough to be used on a day to day basis.

I am thinking of using the hardware token for logging on etc. (i know using just a hardware token is not that secure, but the system doesn't have to be ultra secure, just an initial deterrent). For ease of use i would like this hardware token to be as cross-compatible as possible (so i don't have to carry several of them).

I am thinking of using a usb token, because almost all computer hardware has a usb port nowadays. Even better would be a smartcard (because it would easily fit in my wallet), but smartcard readers aren't readily available (as far as i know).

The systems i'm thinking of using (and want to secure) are:

  • A password manager (keepass)
  • OS, disk and file encryption (truecrypt)
  • A nas with encryption (freenas 8)

My questions is: what is the easiest way to secure a system like this with a hardware token? What type of token would be best (in terms of portability, compatibility, etc.)? Or are there other ways in which i could accomplish the same, but easier?

AviD
  • 72,138
  • 22
  • 136
  • 218

2 Answers2

1

EDIT: I was mistaken; Truecrypt cannot natively use USB device drivers for pre-boot authentication. However, Yubikey appears to have a solution that can be used for their pre-boot authentication system as long as it is set up for "static mode". This is interesting since it means that there is -- technically -- a way to allow USB-based authentication. The Truecrypt docs are not clear at all that they do not support FDE with USB-based keyfiles.

Considering you've already looked at using Truecrypt, then ensure that full HD encryption is enabled and simply drop a keyfile onto your USB device. USB is ubiquitous and the same device can be used to host multiple keyfiles for different systems. Remember to make backups to prevent bit-rot and device failure. This previous question has some thoughts on this (and more).

Community
  • 1
logicalscope
  • 6,344
  • 3
  • 25
  • 38
  • ok, but if i encrypt my entire disk (with my os on it), would that not mean i would have to enter my password before booting the os (which would mean i couldn't use an usb token)? Or are you suggesting i keep my important (encrypted) files separate from my main (unencrypted) os? –  Feb 20 '12 at 17:48
  • @SamuelKiely: You are correct. I've updated my answer accordingly. However, there are ways to cobble something together, but when it comes to FDE, I wouldn't want to trust something "cobbled" together. Yubikey seems to have a sol'n, however. – logicalscope Feb 20 '12 at 19:02
0

All 3 things you mention will require different methods to secure. So really, you're asking 3 different questions. You should look at getting a Yubikey for the PC and Lastpass. I don't know about freenas. It might be easier to NOT encrypt the NAS, per se, but to store encrypted volumes on the san that you mount with truecrypt from your every day computer.

Xint0
  • 103
  • 4
LVLAaron
  • 291
  • 2
  • 3
  • That's a good solution! A yubikey sounds like the kind of solution i was looking for (small, crosscompatible, multiple ways of identification). And as for freenas, it is still under development, so there might be a solution in the future for using it with the yubikey. Thanks! –  Feb 20 '12 at 19:36
  • I am a big user of FreeNAS. I am curious how you plan to use it that would be effective and still use a Yubikey style device... – LVLAaron Feb 20 '12 at 22:59
  • there is a ticket on the freenas 8 developers forum about including encryption on the 8.2 release (http://support.freenas.org/ticket/119), and using a hardware token at startup (and maybe on network access) of the nas. You could possibly use the yubikey for that. –  Feb 21 '12 at 10:14