Yesterday, I provided a problem about how to use my GnuPG key regardless of my location. In reality, there are only 3 computers that I sit at: Hercules, my laptop, and my main companion; Zeus, my “other” desktop, that is actually far more powerful than Hercules, but my wife is always on it with Windows XP; and Poseidon, my workstation at work. So, really, the security that I need to worry about is minimal (2 at home, and 1 at work), and I can be fairly pragmatic about it.
I have to say that some really interesting solutions came in regards to my problem. Encrypted loopback filesystems, smartcards, splitting the key, and others. I don’t think my solution is superior. Actually, I really like splitting the key that Daniel Silverstone came up with. Trully genius. However, my solution was the best that I could come up with, and probably fairly obvious. So, at any rate…
The solution I came up with allows me to keep my GPG key on one computer at home, with the other two taking advantage of that PC. Here’s what I did to solve the problem:
- Recognize that I have an SSH port open for remote access.
- Secured the SSH port a bit by completely disabling username/password authentication, root logins and, of course, obscured it by moving the default port off of 22.
- Generated SSH keys, using a strong cryptographic passphrase, following this tutorial.
- Appended the public keys to ~/.ssh/authorized_keys on the remote server.
- Installed, and configured, following this tutorial, SSHFS.
- Restarted the remote SSH daemon.
- Wrote an alias to mount the remote SSFS .gnupg directory to my local .gnupg directory (using compression).
With this, I use the Gnome SSH agent, that is already running, to add my local public SSH key to the agent. Then, with that added, after entering my passphrase, I run the alias I created earlier to mount the SSHFS to my directory. Now, I can use KGpg, Enigmail, and pretty much anything GPG-related on my local machine using my GnuPG key as if it were running locally, and yet take advantage of the remote SSH key. The only thing is, as it is running through SSH, it tends to be a bit slow for encrypting, decrypting and signing. However, I only need to keep one copy of my GPG key, and I can keep it where I know that it is secure. So the decrease in speed performance is worth the saftey and integrity of the key. Also, I only need to run the process of adding my key to the agent and mounting SSHFS once, which is nice.
DISCLAIMER: Because I mounted SSHFS using public key authentication, the mount exists as long as I stay logged into my box, or if I unmount it using fusermount -u. This could pose a threat, if anyone has access to my workstation. As such, when leaving the computer, I need to remember to lock it every time, or logout. Not keeping in this practice of locking my workstation or logging out, could compromise the key. However, when logged out, the agent dies, thus losing the key in the agent, and unmounting the SSHFS, which means my private GPG key is no longer on the computer. So, either I need to lock the workstation, or logout every time I leave the PC. Fortunately, this is in standard practice with current behavior, so it won’t be a problem.