Open source software security

Open Source USB Key Encryption Techniques

30 November -0001
Justin Klien Keane
Nov 30, 2006

I recently purchased a new USB key and began thinking about ways to keep the data on the key safe. USB keys are small and easily lost, stolen, or misplaced. In order to feel secure I wanted to make sure I could encrypt data on the key so that unauthorized users wouldn't be able to view the data.

I had several different criteria for my encryption solution. First of all I wanted to use an Open Source software solution. I had several reasons for this, not the least of which being money. I wanted an encryption solution that was widely supported, and a format that wouldn't disappear if the company that made the product went away. For a commercial solution this would mean going with a larger company, but still wouldn't insure data integrity over time. I wanted to be absolutely sure that even in a pinch I could write my own program to decrypt the data if need be.

I also wanted a solution that would work on any platform. I normally work on a Windows machine, but I also work on Linux machines and have had need to use the USB key on a Mac before. I wanted some sort of solution that would allow me to plug the USB key into virtually any machine and have it work. This also meant that the encryption couldn't be tied to something on a specific machine. Private key encryption wouldn't work because I didn't want to have to carry around the key as well and expose it to loss.

The other problem in searching for a solution was that the value of a USB key is being able to transport data and programs around and access them rapidly. There were some things that I would want on the key unencrypted so I could get at them easily. One of those things being the installer for whatever program I would use to encrypt/decrypt the files.

This seemed like a pretty tall order. In the end I evaluated three products: TrueCrypt, AxCrypt and GPG. All three are available for free download and are highly regarded in the security community.

First I tried using TrueCrypt. TrueCrypt is great because it works on most platforms. The other advantage of TrueCrypt is that it will do on the fly encryption. This means that you don't have to type in pass phrases over and over for each file you want to access. You simply create an encrypted volume, and then when you want to mount the volume you enter the pass phrase once, and you can then use the files in the volume as if they weren't encrypted. When you're done you simply unmount the volume and everything becomes pass phrase protected again. TrueCrypt is also nice because you can encrypt an entire volume (for instance, a whole USB key). There are all sorts of other features to recommend TrueCrypt and although I did decide to go ahead and use it on my desktop, I decided against using it with the USB key. I resolved, in the end, that I didn't really need on the fly encryption. While it is nice, it isn't really necessary for my purposes. Also, I didn't want to partition my USB key since the partition size might become a problem if I needed to expand or shrink it. Furthermore, TrueCrypt must be installed on the machine in order to mount the drive. Since TrueCrypt isn't widely deployed I could see situations where this could be problematic.

AxCrypt is another great product. The biggest problem with AxCrypt is that it only works on Windows. It does however, support self decrypting .exe files, so you don't even necessarily have to have it installed in order to decrypt the encrypted files. AxCrypt also integrates quite nicely into Windows, so that you can right click on a file and decrypt it. This is great for fast, on demand, encryption and decryption. You can set AxCrypt up to use a key file as well, so you can script the behavior from the command line. Overall I like using AxCrypt for personal data on my desktop machine, or encrypting files that I move between my own machines. I highly recommend AxCrypt for its overall ease of use.

GPG is the GNU Privacy Guard - the open source version of PGP. GPG can be installed on virtually any platform and is widely supported (many Linux distributions install it by default). GPG allows for a huge range of options. On a Windows platform, there is WinPT, which is compatible with the Windows version of GPG and provides for easy GUI interactions. GPG is also extremely widely documented and with a little know how you could implement a program using GPG on your own. I like GPG because I can encrypt a file using a pass phrase and move it around to almost any other computer and decrypt it. GPG also supports public/private keys that you can use for digital signature as well as public key encryption of things like email. In fact, I use GPG with Mozilla Thunderbird's Enigmail plug in to allow me to send and receive encrypted emails. Overall GPG was the most widely supported encryption package I looked at. While it wouldn't support on the fly encryption, using GPG insured that the data format wouldn't be compromised over time and that I could continue to use the format for encryption no matter what operating system I chose.

After evaluating all three products I actually began to use all three for different purposes. I like having pass phrase encryption that self extracts without a supporting program so I can take encrypted files anywhere. I also like the on the fly encrypted volume for storage of files that I access often, but from set locations. I love GPG because of its cross platform nature and wide compatibility. I ended up using all three solutions, but for different purposes. I eventually settled on using GPG to encrypt sensitive data on my USB key, since that data would probably travel around, although sometimes I encrypt data on the drive using AxCrypt if I think I might need the material on an unknown Windows machine (such as in a hotel's business center) where I couldn't install software. Having all three programs in my toolkit pretty much allows me to utilize the program best suited for the job. Since all three are Open Source products you can be sure that your data format is safe from the whims of market forces (your data will never become encrypted in a format that isn't supported).