Michael On Everything Else

Data Security


Photo Credit: dzarro72 via Compfight cc

One of the things I’ve been thinking about regarding the upcoming move is security for all the data I have scattered across multiple laptops and removable drives (USB, firewire, etc). Two of the tools I use daily are GPG and Truecrypt. Both are cryptography tools but with different, complimentary uses.

I use Truecrypt to create encrypted volumes or containers, in which I store documents and files. GPG can do the same thing, but Truecrypt allows you to have hidden containers, accessed simply by using a different password. This way if you are compelled to provide the password to encrypted data, you can provide the alternate password. And if you think it’s far-fetched that someone would be compelled to provide their password, read this article on CNET: Judge: Americans can be forced to decrypt their laptops

American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case. Judge Robert Blackburn ordered a Peyton, Colo., woman to decrypt the hard drive of a Toshiba laptop computer no later than February 21--or face the consequences including contempt of court.

In this post, I’m not going to go into any detailed instructions of either tool. Instead I’ll just describe a method I use to protect one type of very sensitive data I have and that is my GPG master keyring.

Step 1: Use a master keyring

On my laptop is a special version of my GPG keyring that does not contain my revocation certificate or the original signing subkey. This disables my ability to sign other keys with my laptop keyring, but that is the only lost functionality. Now if my laptop is lost, I still maintain the master keyring and can revoke the stolen keys, hopefully before they are used. I'll do a write-up later on how to create a master and a laptop version of your keyring.

Step 2: Use a Truecrypt volume for working documents

Like I said, I have a Truecrypt volume that contains all of my working documents. By putting all of my working documents in an encrypted container, I don't have to worry about what should and shouldn't be encrypted. It's all encrypted. One of the pieces of data in this volume is a scan of my passport (if you don't have a backup scan of your passport, do so now). Using GPG, I made a detached signature of one of the scanned pages of my passport. This detached signature file will be used in the next step.

Step 3: Use a Truecrypt USB stick to store your master keyring

To store my master keyring, I have a dedicated USB stick that has been encrypted with Truecrypt. To access that USB drive, I need both a password and a keyfile. The GPG signature file in step #2 above is that keyfile. So accessing my masterkey file looks like this:

  1. Open the working docs encrypted volume
  2. Open the USB encrypted volume and enter the password and the keyfile location (which is in the working docs volume)

And that’s it. I now have two-factor authentication for my master keyring. Two factor authentication is usually something you know (a password) and something you have (an RSA token, a keyfile, etc).

I keep that USB stick in a safe at home and when we travel to Singapore, I’ll keep it on my person instead of the safe.