Question about usbarmor key storage functionality
195 views
Skip to first unread message
bobafet...@gmail.com
May 18, 2018, 5:51:55 AM5/18/18
to USB armory
I'm looking at what I can buy to use as a secure key storage, I would really like to be able to import a bunch of existing ssh keys (RSA 2028 or 4096), and eventually ECC (elliptic curve) keys and be able to use the device storing them for ssh authentication to connect to a remote server.
I've looked at the Nitrokey but it is kinda limited to number of keys and algorithm, I don't care about saving 50 euros, I need functionality. Which is why I hope the usb armory key can do what I need (being a device running Linux and not microcontroller-based).
I did have a cursory look at Qubes Split GPG and INTERLOCK firmware/applications for the usb armory device, but I didn't see anything specifically stating that I can do that. The INTERLOCK readme says I can upload keys and keep them in the system, but I'm unsure about what type of keys I can upload at all (SSH? GPG? RSA? ECC?) and how I could them use them with ssh.
-Alberto
Andrea Barisani
May 21, 2018, 4:05:28 AM5/21/18
to USB armory
INTERLOCK is a generic encrypted file repository, so any file can be stored in its protected directory.
Additionally specific keys can be "actively" used, such as GPG/PGP keys or One-Time ones, within the INTERLOCK UI.
For using SSH keys I see two possible approaches.
1) you use a generic Linux distribution and enable full disk encryption, this way you can store SSH keys like you would do on any server and, by giving network access to the USB armory, SSH in/out of the device. Some pointers on full disk encryption:
2) you use our INTERLOCK embedded image and leverage on the fact that you can SSH on the running INTERLOCK instance, please see https://github.com/inversepath/usbarmory/blob/master/software/buildroot/README-INTERLOCK.md#operation
In particular the following:
""The
interlock user .ssh directory can be referenced within the encrypted partition, therefore you can upload a .ssh/authorized_keys file with INTERLOCK to have SSH access for debugging or upgrading (see Upgrading section)."I hope this helps.
Cheers
Eric Duncan
Jul 16, 2018, 11:50:44 PM7/16/18
to USB armory
I'm starting to dive into my newly received Armory myself, and Andrea did well explaining INTERLOCK (as it's new to me as well).
However, I can chime in on Qubes OS' Split GPG functionality as I have been using it for some time (as well as the Split SSH sister project that uses the same PGP keys).
For starters, Qubes OS treats all USB devices as untrusted devices and (now as default in 4.0) creates an isolated USB VM that is air-gapped, away from the rest of the system, to capture all USB devices. That is, unless you are using a system with a USB KB and Mouse, like my 2014 Macbook Pro - then USB isolation is disabled, because you need USB in the Domain0 control domain.
Next, the Split GPG function is meant to be used from an air-gapped VM, such as your Vault VM by installing (or generating) your private keys there. I have one Vault VM for personal, and additional Vault VMs per client I work with. That way, if one ever gets compromised - it's only that one client. This air-gapped isolated Vault VM does not get USB devices either.
Now, in theory... If you bypass the USB isolation and allow USBs to be attached to VMs... And, if you allow attaching USB devices to your isolated and air-gapped Vault VM... Then you could use the Armory knowing that you are already bypassing a couple isolation barriers to begin with that are there to protect you.
Now, how would one use the Armory with this setup, connected as a USB device on the Vault VM? The Split GPG functionality is a set of compiled C++ binaries that wrap the PGP library within the Vault VMs.
By default, it uses a normal gpg installation. That is to say, ~/.gnupg/. The Split SSH add-on also uses the same PGP configuration to generate RSA pubkeys.
I have not dug into the Armory configuration yet for PGP; however, if there is a way to "hook" into the gpg authorization - which would normally reach out to the USB device of the Armory - I don't see why it wouldn't work from within the Vault VM you have your PGP keys in.
However, I consider this very risky when it comes to Qubes. You already have isolated your PGP keys into an air-gapped Vault VM - why risk attaching a compromised USB device? E.g. what if you accidentally selected the wrong USB device, one that had malicious firmware on it, when attaching to the Vault VM? Game over.
Anyhow... That's what I am struggling with myself. How to use the Armory with my Qubes OS. I've only come up with a simple approach so far:
* Arch Linux on Armory in Host-Only mode, Full Disk Encryption with a > 70 character password
* Armory stores my root PGP private key
* In Host-Only mode, I issue pgp "sub" keys from the Armory and store them on a temp USB stick
* Connect the USB stick to the USB VM in Qubes
* Copy the sub-keys across USB VM to Vault VM
The Vault VM, and the entire machine, would only have Subkeys on it - not my root private key. The armory stored in a vault, with a backup of the sdcard.
The weakest part in this chain is that temp USB stick I connect to the Armory. If it is compromised, it could infect my unlocked Arch install of the Armory itself.
The only other alternative is to leave the Armory operating in USB mode - and connect it to the USB VM like normal, where I can issue sub-keys directly from the device. The weakest part in this chain is any one of those USB devices could be compromised and log the keystrokes to unlock my > 70 character FDE passphrase. I consider this a larger threat than the first Host-Only option.
To recap... You could use the Armory directly within the Vault VM of Qubes, but do you really want to risk it? Instead, maybe use the Armory to story your private key offline in an air-gapped device and issue sub-keys from it that you use across your devices (phones, Qubes, etc).
-E
Eric Duncan
Jul 17, 2018, 10:01:56 AM7/17/18
to USB armory
Now that I think about it, Qubes OS' Split PGP functionality has the [feature/restriction] of not allowing passphrases to be entered as part of PGP usage. They talk about why in the Split PGP documentation (https://www.qubes-os.org/doc/split-gpg/). In short, if someone has access to your machine and private keys, then they have access to sniff your passphrase when entering it.
Therefore, since we cannot use gnupg's pentry as part of Split PGP in Qubes, I don't think there's an option to use the Armory in any hooks? Since there is no prompt.
I'll have to read up on how people are integrating Armory USB as PGP key management with local gpg installs to see.
-E
SemanticBeeng
Sep 18, 2023, 2:14:22 AM9/18/23
to USB armory
Hi,
Have a usb armory mk II with Debian OS on it and trying to use in QubesOS.
Not for key management (yet) or split GPG (there is GoKey for that: https://github.com/usbarmory/usbarmory/issues/76#issuecomment-1706309109)
Trying to connect using Ethernet over USB as described in "Host Communication" https://github.com/usbarmory/usbarmory/wiki/Host-communication.
Trying to connect using Ethernet over USB as described in "Host Communication" https://github.com/usbarmory/usbarmory/wiki/Host-communication.
The device seems to boot when connected to a USB hub (not when connected over KVM extender which is strange...) and lsusb lists it as "Gadget".
But not clear how to attach or connect to it from another qube/VM with ssh usba...@10.0.0.1.
Use cases:
1. Have a private network to it from another VM.
2. Also allow connection from usb armory to a bitcoin full node (and other multisig coordinator) over Tor
Not quite sure how to setup networking at this time and could use some guidance.
Guessing the split GPG setup should be useful but "buildroot is no longer supported"
Thoughts?
Reply all
Reply to author
Forward
0 new messages