Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TrueCrypt support OpenPGP Card #23

Closed
jht5945 opened this issue Mar 11, 2016 · 4 comments
Closed

TrueCrypt support OpenPGP Card #23

jht5945 opened this issue Mar 11, 2016 · 4 comments

Comments

@jht5945
Copy link

jht5945 commented Mar 11, 2016

What about this idea, the password for TrueCrypt protected by OpenPGP Card, then mount a TrueCrypt disk will like this:

  1. Open TrueCrypt
  2. Select TrueCrypt Disk
  3. Plug OpenPGP Card
  4. Input OpenPGP Card PIN
  5. OpenPGP Card decrypt password
  6. The password decrypt TrueCrypt Disk

About OpenPGP Card: https://en.wikipedia.org/wiki/OpenPGP_card
@rmackinnon
Copy link

One problem I can see with this workflow is that a physical key (being
OpenPGP or smartcard) may or may not require a court order or more to be
surrendered, but in some instanced is covered by the 5th amendment here in
the US[1]. Yes the pin on the card is protected as privileged information
and would require compulsion by the court to be divulged[2] if the judge
felt it did not violate the witnesses 5th amendment right. Nothing say
though that the pin simply wouldn't just be bruit forced after the key
physical is obtained. There are safeguards you can have in place within
the card, but is not a guaranty that the encryption will not be broken.
Also there is liability on where the "encrypted" decryption password is
stored. Having the password stored (even encrypted) on a physical volume
or device seems like another vector someone could use to attack your volume
and forgo the need for your OpenPGP card altogether.

Personally I do like the idea of having a smartcard/pgp card as a 2FA
device in addition to other certs/passwords for a volume.

[1]
http://www.uclalawreview.org/the-fifth-amendment-encryption-and-the-forgotten-state-interest/
[2] https://en.wikipedia.org/wiki/In_re_Boucher

On Fri, Mar 11, 2016 at 10:01 AM, Hatter Jiang notifications@github.com
wrote:

What about this idea, the password for TrueCrypt protected by OpenPGP
Card, then mount a TrueCrypt disk will like this:

  1. Open TrueCrypt
  2. Select TrueCrypt Disk
  3. Plug OpenPGP Card
  4. Input OpenPGP Card PIN
  5. OpenPGP Card decrypt password
  6. The password decrypt TrueCrypt Disk

About OpenPGP Card: https://en.wikipedia.org/wiki/OpenPGP_card


Reply to this email directly or view it on GitHub
#23.

@mouse07410
Copy link

First, the feature I propose is not encrypting the passphrase, but encrypting the (truly randomly generated) volume key using a smart card. Instead of deriving that key from a passphrase.

Second, I had PIV cards in mind, though OpenPGP support would be fine too.

Finally, not every threat model has court orders as its highest risk. Plus, smart cards usually are PIN- or password-protected, and I'm sure one can plead the 5th for that PIN exactly the same way one would for the volume password of TrueCrypt.

@mouse07410
Copy link

Forgot to mention that smart cards usually lock after some very small number of failed attempts to enter PIN. Most people,set it between 5 and 10. Official policies (such as German standard) fix it at 3. So while technically it may be possible to extract the secret from a smart card - in practice the probability of success is nil.

@FreeApophis
Copy link
Owner

TrueCrypt Development has been moved to CipherShed:

Lets move the discussion over there:
CipherShed/CipherShed#46

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@FreeApophis @jht5945 @rmackinnon @mouse07410