3

I was wondering if it possible to encrypt a flash drive (or any other external medium) using certificates instead of a password.
The idea is to have a number of encrypted pendrives that can be used on PCs that have the appropriate certificate but nowhere else.

Any ideas how that could be implemented?

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
shutefan
  • 183
  • 5
  • Maybe if you explain how you wish to use the encrypted flash drive you could get some better directed answers. You may also want to read [Is there any asymmetrically encrypted file system?](http://security.stackexchange.com/questions/6218/) or [What are the good use cases for disk encryption?](http://security.stackexchange.com/questions/3214) – this.josh Nov 03 '11 at 22:57

2 Answers2

3

as Jeff said, depends on what kind of "certificate" you mean. if you just want to allow USB sticks on certain machines, then Win7's BitLocker To-Go as well as Truecrypt (using key files) allows for this sort of thing.

Garrett
  • 324
  • 1
  • 4
  • BitLocker doesn't seem to do it for the intended purpose since the encrypted drive can only be opened on the same machine where it was encrypted. Not sure about TrueCrypt but doesn't it need a password? – shutefan Nov 03 '11 at 21:32
  • Truecrypt key files are essentially the password. It reads the file and uses the data to encrypt/decrypt the file. You can use a password in addition to a key file but it's not required. – Dracs Nov 03 '11 at 23:33
1

Do you specifically mean an X.509 certificate? If so, I think some custom coding work may be in order on your part. There's nothing particularly challenging about that, but I don't fully see the point.

Flash drives (or any encrypted disk image) are encrypted using symmetric encryption. Certificates are based around public key encryption. I would suggest using some sort of certificate-based (or PGP) file encryption to encrypt a keyfile for the drive image if you're trying to securely share a disk image across an insecure channel.

It is possible to design a system (PGP Whole Disk Encryption comes to mind) where the symmetric key for the drive is natively guarded by public keys. I'm not aware of any other products that do this, but you might be able to find some via Google.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • Not knowing all too much about certificates yet I don't mean one in particular but am more interested in the concept. I'm not sure I can follow your explanation of encrypting a keyfile for the drive image, could you explain that? – shutefan Nov 03 '11 at 21:29
  • No custom coding required to encrypt *files* - http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x317.html . – symcbean Nov 04 '11 at 10:00