|

Computer Security

»

Encryption and Cryptography

»

»

GnuPG (win32) on a USB stick

View: New views

13 Messages — Rating Filter: Alert me

	GnuPG (win32) on a USB stick by nunzky :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I want to keep GnuPG on a USB stick to use at school and on other people's computers (all windows). However, GPG, when run, creates the keyrings and conf files on the HDD (documents and settings\appdata). Is it possible to avoid this behavior and have GnuPG write those files, say, in its own dir on my usb stick? How would I do this? Also, this would probably have to involve me keeping my private key on the usb stick, protected only by a passphrase. How secure is this? Are there any better ways to do it? Thanks in advance.
	Re: GnuPG (win32) on a USB stick by Robert J. Hansen-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message nunzky wrote: > Also, this would probably have to involve me keeping my private key on the > usb stick, protected only by a passphrase. How secure is this? Are there any > better ways to do it? As a rule of thumb, never do any sensitive computer operations on a computer you don't completely trust. If you think the computers in your campus's IT kiosks are safe and pristine, then this idea is probably reasonably good. If you think the computers in the kiosks are exposed to a host of unsafe web browsing habits, malware and stupid users 24/7, you may want to rethink this plan. _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	Re: GnuPG (win32) on a USB stick by John Clizbe-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message nunzky wrote: > Hi, > > I want to keep GnuPG on a USB stick to use at school and on other people's > computers (all windows). However, GPG, when run, creates the keyrings and > conf files on the HDD (documents and settings\appdata). Is it possible to > avoid this behavior and have GnuPG write those files, say, in its own dir on > my usb stick? How would I do this? > set GNUPGHOME=x:\location\you\want -- John P. Clizbe Inet: JPClizbe (a)tx DAWT rr DAHT con Ginger Bear Networks hkp:\\keyserver.gingerbear.net or Send email with subject help to pgp-public-keys@... "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc (672 bytes) Download Attachment
	Re: GnuPG (win32) on a USB stick by John W. Moore III-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 nunzky wrote: > I want to keep GnuPG on a USB stick to use at school and on other people's > computers (all windows). However, GPG, when run, creates the keyrings and > conf files on the HDD (documents and settings\appdata). Is it possible to > avoid this behavior and have GnuPG write those files, say, in its own dir on > my usb stick? How would I do this? 2 ways are easily available depending upon the size of Your Flash Drive. You could use GPG2GO and do everything from the Command Line or You could simply Copy Your GnuPG Directory/Folder to the Flash Drive and then use the GPGshell Portable Utility [located at the bottom of the Start Menu list] and then run with a GUI. http://www.jumaros.de/rsoft/index.html > Also, this would probably have to involve me keeping my private key on the > usb stick, protected only by a passphrase. How secure is this? Are there any > better ways to do it? How secure is Your passphrase? Robert already covered the issues involved in using an untrusted PC. Also keep in mind that not having control over the PC also means no Control over the Swap File, whether or not any Keyloggers are present, etc. Another consideration is that many Public PC's have the ability to launch any .exe File blocked. This is particularly true in Library's and other places where there is a concern that Students will attempt to install malware, etc. If You are just going to be using the USB Drive for Email then there are Applications like Mobility Email & Portable Thunderbird w/Enigmail + GnuPG. JOHN ;) Timestamp: Sunday 02 Mar 2008, 23:38 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHy4D9AAoJEBCGy9eAtCsPh7gH/0P/dn8rAjzuaExpi5M7sOuQ /uB8A+zJAefcVmWKTWxhY9d27s/PK7hmbYAN8Z2o5adIwgms40Z7qUhK1u0nA9iT ZPD+vZekLVkoRJri3akcQiG6AfaIxqsU5rsDyEX3FWLpHItbONnGZjRSK0qDQUcc LF9Sm99qoDwuKQh2x45Qf8S0cVQTwya6eKTaji1wglTpMnXXLopY8zTItRPw+eL4 EBRdWNkTrxvatqVVRUiHuHSFTERQHVKRSbSl2yqHZUW/BK42XkHiUdbRrVf36rtj G0LC243nwRO0FJf9Re3ETwdgm4Z9H9F5bGHrXit0fhFeVbvTgnVR+DfUKMiwKRU= =Hr+D -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	Re: GnuPG (win32) on a USB stick by Sven Radde-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi! nunzky schrieb: > However, GPG, when run, creates the keyrings and > conf files on the HDD (documents and settings\appdata). Is it possible to > avoid this behavior and have GnuPG write those files, say, in its own dir on > my usb stick? How would I do this? > Try using "--homedir U:\path\to\your\keyrings" as an option to every call to gpg, where U: is the drive letter of your USB stick. > How secure is this? Are there any > better ways to do it? The OpenPGP smartcard might be an idea if you can get it to work on the computers where you want to use GnuPG. While this is better than relying on keyfiles with passphrases (which might easily be sniffed by a keylogger), it still is not 100% secure on a wholly untrustworthy system. Another option would be to boot into a dedicated system from CD. Knoppix or the like. The risk here is a hardware keylogger. Furthermore, depending on the (W)LAN setup, you won't easily have network connectivity and, of course, it is inconvenient. This is the general tradeoff: Security vs. convenience. HTH, Sven _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	re: GnuPG (win32) on a USB stick by vedaal :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message nunzky (funkdude at gmail.com) wrote on Mon Mar 3 02:57:20 CET 2008 : >Is it possible to avoid this behavior >and have GnuPG write those files, say, >in its own dir on my usb stick? ... >this would probably have to involve >me keeping my private key on the usb stick, >protected only by a passphrase. >How secure is this? >Are there any better ways to do it? in general, the simplest, most secure way, is to keep gnupg on your laptop, and use the usb to transfer files from the public computer to your laptop and back again encrypting and decrypting while directly connected to a public computer, runs a very real risk of having the plaintext stored in some recoverable form on that computer (i would recommend a Toshiba Libretto, that you can literally have physical control over, at all times) http://www.pcmag.com/article2/0,2817,1788012,00.asp if you don't have a laptop, and need to work from a public computer, and a usb, here are some guidelines: [1] generate a new gnupg key, with a comment, 'usb key', and keep this in a separate keyring (not the the keyring with your 'real' secret keys) if you have any concern that this becomes compromised, you can revoke it, without compromising your 'real' keys (this is also a common courtesy to people who send encrypted mail to you they are entrusting their secret/personal correspondence to you, and need to know how much they can 'trust' you 'trust' is this context, refers to 'skill and judgment', not 'integrity' [ you can 'trust' someone with your life and money, but not to drive your BMW, if you don't think they have enough experience with a stickshift ] ) [2] keep the keyrings and the entire gnupg program in a truecrypt container on the usb this has two advantages: (a) it protects your keyrings (b) it allows you to pick a drive letter that will stay the same regardless of the hardware differences of the various public computers (i.e., you can mount the truecrypt container as drive Z, and have all the entries in your gpg.conf refer to z:\gnupg, and never have to change it) truecrypt can be run in traveller mode from a usb, without having it installed on the host computer [3]copy the entire gnupg directory from your home computer, into the truecrypt container [4] put these lines into your gpg.conf file: no-default-keyring keyring z:\gnupg\pubring.gpg secret-keyring z:\gnupg\secring.gpg (use your 'new' keyrings with the special 'usb key') [5] open notepad and types these lines: command com z: cd gnupg save this as gusb.bat in your truecrypt container whenever you want to run gnupg from the usb, (and have already mounted the truecrypt container as drive z:) double-clicking on gusb.bat opens a dos commandline window check it by typing gpg -h if the gnupg version and guide appears, then you're ready [6] minor recommendation, (i don't know how much it would help) get (free) editpad lite: http://www.editpadpro.com/editpadlite.html it can be run from the usb by just copying the file EditPadLite.exe you can compose any correspondence from editpadlite, without using any of the host computers software (e.g. word, wordpad, notepad, etc.), and there 'might' be less chance of the plaintext being saved on the host computer by some file journaling system) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click here for free information on how to reduce your debt by filing for bankruptcy. http://tagline.hushmail.com/fc/Ioyw6h4elLy0MGS8ZpnSGLSkChVTeOgJgP9vCEPIVuo6a1yK8Ibamr/ _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	Re: GnuPG (win32) on a USB stick by Andrew Berg-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message John Clizbe wrote: > set GNUPGHOME=x:\location\you\want > It would be inconvenient (and inconsiderate to the host machine's owner(s)) to set an environment variable on every machine encountered, wouldn't it? Sven's idea is much better, I think. _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	Re: GnuPG (win32) on a USB stick by Avi-7 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Personally, I am using GPGShell, which, once installed, has a small app called Copy2USB that mounts a completely self- contained GnuPG and GPGShell system on the stick, which I take with me. See http://www.jumaros.de/rsoft/index.html Thanks, - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) - GPGshell v3.64 iEYEAREDAAYFAkfMLSoACgkQy6A/RnheoilMIQCdFAq1i1ALaLYrmz8VDG0jwjc2 KNEAn3LMcbkmiMMh8ycp0v/Lsi6kgxrw =6wUh -----END PGP SIGNATURE----- -- en:User:Avraham ---- pub 1024D/785EA229 3/6/2007 Avi (Wikipedia-related) <aviwiki@...> Primary key fingerprint: D233 20E7 0697 C3BC 4445 7D45 CBA0 3F46 785E A229 _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	Re: GnuPG (win32) on a USB stick by John Clizbe-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Andrew Berg wrote: > John Clizbe wrote: >> set GNUPGHOME=x:\location\you\want >> > > It would be inconvenient (and inconsiderate to the host machine's > owner(s)) to set an environment variable on every machine encountered, > wouldn't it? Sven's idea is much better, I think. And it shows a clear lack of understanding to think that a SET command at a Windows command prompt sets an environment variable permanently or globally. The variable exists in the process environment that invoked the command and those processes invoked from it. "Changes made using the SET command are NOT permanent, they apply to the current CMD prompt only and remain only until the CMD window is closed." - http://www.ss64.com/nt/set.html Setting GNUPGHOME is the equivalent of specifying "--homedir U:\path\to\your\keyrings", but without the need to type (and possibly mistype) it every time GnuPG is invoked. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc (672 bytes) Download Attachment
	Re: GnuPG (win32) on a USB stick by nunzky :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks everyone of you, you have greatly enlightened me concerning the security risks associated with my endeavor. I will have to rethink my plans, but for now, I think John's idea of setting GNUPGHOME seems like the best idea to me. However, for convenience, I'd like to maybe use a batch file to set it and open a command prompt. This would require me to be able to set it to a relative path (ie, not have to specify a drive letter, as it will change). Is this possible? As for GPGShell, it seems pretty good, but I'd prefer to just keep my old command line if I can. The last version of GPG2Go I could find is 1.4.1, which seems pretty outdated. Also, the author says it is the exact same thing as the official gnupg except repackaged as a zip. Which doesn't solve the problem of gpg writing to local disks by default.
	re: GnuPG (win32) on a USB stick by vedaal :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message nunzky (funkdude at gmail.com) wrote on Tue Mar 4 00:02:02 CET 2008 : >However, for convenience, >I'd like to maybe use a batch file to set it and >open a command prompt. >This would require me to be able to set it to a relative path >(ie, not have to specify a drive letter, as it will change). >Is this possible? easily [1] make a directory called GNUPG on your usb, and copy all the gnupg files into it [2] make the following batch file: set GNUPGHOME=gnupg command.com [3] save this .bat file in the GNUPG directory in your usb double-clicking on the .bat file gets you to a command prompt within gnupg, ready for all gpg commands vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	Re: GnuPG (win32) on a USB stick by John W. Moore III-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 nunzky wrote: > The last version of GPG2Go I could find is 1.4.1, which seems pretty > outdated. My Bad. I shall Update the Binaries to 1.4.8 tonight and they should be available by this time tomorrow. I admit that I am abysmally slow as a Maintainer. :-[ If Your USB Drive is large enough I could send You the requisite Files direct for GPG2GO and I won't UPX then which will make for slightly faster access function. GPG2GO was originally designed for use from a 3.5 Floppy Drive. :) JOHN ;) Timestamp: Monday 03 Mar 2008, 20:47 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHzKpiAAoJEBCGy9eAtCsPr9UH/RfywFsaJStYSMgLUcLPx81h hepNlNb3k0WP8y4JgVhfYJaTroqyyxuL4uD7ZsQk2j6P46i6k+Y1LtdAt18/mDIi HEjEyXcI0FhltuvIqd6QvC4dqyCRoFilr8QMWQrlkl7mrpLxHVnB9zfTtsMV+4jZ h7iBbxyfLOzc1i6zHQa2IVKjWPWolhKsCrmdAe0Mli6MBwk6y75RPWupD636bbqa EIM34GYyq6RP6f6zVPjedPURB1nqtyFHCp3wcyPhxk1UB8fns6X93zNF/38xtdl8 NH0FmPfmZ1tg0ShJkgJh45k+JlOzI/3umct90l5DLUDoE9zrGAPfdOb+IKDoF74= =VRzq -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users
	Re: GnuPG (win32) on a USB stick by Andrew Berg-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message John Clizbe wrote: > Andrew Berg wrote: > >> John Clizbe wrote: >> >>> set GNUPGHOME=x:\location\you\want >>> >> It would be inconvenient (and inconsiderate to the host machine's >> owner(s)) to set an environment variable on every machine encountered, >> wouldn't it? Sven's idea is much better, I think. >> > And it shows a clear lack of understanding to think that a SET command at a > Windows command prompt sets an environment variable permanently or globally. The > variable exists in the process environment that invoked the command and those > processes invoked from it. > Actually, it shows that I wasn't thinking quite clearly. For some reason, I was thinking of something quite different. Sorry about that. _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users