5

We're a small startup running a server inside the clients premises and certain files needs to be kept encrypted on that server. We want the decryption to be only possible when we plug in a particular USB drive (with the private key inside it). Are there any free implementations of this? I tried using GPG but it does not allow the private key to be stored temporarily (unlike SSH).

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Grim Reaper
  • 518
  • 1
  • 4
  • 14

2 Answers2

5

I would not use that approach. When you mount a USB drive, read a file from it, etc all sorts of copies of that data could end up in OS memory, logs, etc. You'll be fighting an uphill battle to make this secure, especially if the attacker has the ability to take memory dumps of the server, or plant malware on the server.

A better approach would be to use some sort of USB hardware crypto module so that the server itself never needs to touch the private keys. The idea is that the cryptographic keys live on the crypto device and never leave it, you send the data you want to encrypt / decrypt to the device, it does the crypto operation for you and returns the results.

With this approach you are guaranteed that no caches of the private key exist on the server because the server never touched it in the first place, and if you pull out the USB device, the server loses the ability to do crypto operations, which I think is which you want.

Some technolgies / search terms you can look for include:

  • usb smartcard
  • cryptographic token
  • PKCS#11 token
  • TPM (trusted platform module)
  • HSM (hardware security module)

You may want to look into hardware-based solutions like USB smart-cards, TPMs, or lightweight HSMs where the crypto is done on the device so that the server never actually touches the key.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Unfortunately, smartcards and such are rather rare and expensive here. It'd great if there was a off-the-shell USB drive option ! – Grim Reaper Mar 31 '17 at 08:58
  • 1
    There are many off-the-shelf USB options (both smart-card and "stick" styles), and they can be as cheap as a $2 - $5 USD per card/stick, so I don't believe that cost is your limitation. I Googled "usb pkcs11" and found this list of hardware devices, which could be a starting point: https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-(smart-cards-and-USB-tokens) – Mike Ounsworth Mar 31 '17 at 13:17
2

One possibility would be to use an encrypted partition or container file using luks/cryptsetup. You can store the decryption key in a file on a thumb drive and configure the location in /etc/crypttab. That way, the encrypted partition can only be mounted while the USB drive is available, but it will stay readable until you manually unmount it, even if you unplug the USB drive.

Of course, the key can easily be duplicated from the drive, but you'll have to live with that, since you stated above that you do not want to use any smartcards.

mat
  • 1,243
  • 7
  • 14