Andrea Barisani edited this page Nov 8, 2016 · 16 revisions

The following example security application ideas illustrate the flexibility of the USB armory concept:

  • Hardware Security Module (HSM)
  • file storage with advanced features such as automatic encryption, virus scanning, host authentication and data self-destruct
  • OpenSSH client and agent for untrusted hosts (kiosk)
  • router for end-to-end VPN tunnelling, Tor
  • password manager with integrated web server
  • electronic wallet (e.g. pocket Bitcoin wallet)
  • authentication token
  • portable penetration testing platform
  • low level USB security testing

This section is meant to track available software PoC, projects and/or procedures oriented towards implementing such application ideas and any other interesting USB armory usage. If you have tested an interesting use case for the USB armory please submit it at for inclusion.

See also Host communication for interfacing options.

File encryption

The INTERLOCK application is a file encryption front-end, with Signal messaging support, developed for, but not limited to, usage with the USB armory. A Buildroot environment is also available.

Password manager

A PoC from Michael Weissbacher is available at

Bitcoin wallet

The Electrum ( Bitcoin wallet works out of the box on the USB armory, it has been tested with X11 forwarding from Linux as well as Windows hosts.

Tor Anonymizing Middlebox


  • host main interface on network with default gateway
  • USB armory on network with IP address
  • USB armory masqueraded and routed as described in Host communication

USB armory setup

Launch Tor with the following configuration (/etc/tor/torrc):

AutomapHostsOnResolve 1

# Transparent proxy
TransPort 9040

DNSPort 53

Launch the following script (based on Transparent Proxy Tor wiki page, IMPORTANT: change the _tor_uid variable accordingly):


### set variables
#destinations you don't want routed through Tor

#the UID that Tor runs as (varies from system to system)

#Tor's TransPort

#your internal interface

### flush iptables
iptables -F
iptables -t nat -F

### set iptables *nat
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor; do
   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
   iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN

#redirect all other pre-routing and output to Tor
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port

### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor; do
 iptables -A OUTPUT -d $_clearnet -j ACCEPT

#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT

Host setup

Define the "rt_usbarmory" routing table identifier in /etc/iproute2/rt_tables:

# reserved values
255     local
254     main
253     default
0       unspec
# local
#1      inr.ruhep
1 rt_usbarmory

Launch the following commands:

# ip rule add from table rt_usbarmory
# ip route add default via table rt_usbarmory
# ip route del default
# ip route add default via

A successful setup can be tested as follows:

$ curl | grep -E "Sorry|Congratulations"
      Congratulations. This browser is configured to use Tor.