Iron Key and Xubuntu
  1. Overview
  2. About USB Privacy Keys
  3. Plugging in a new Iron Key
  4. Configuring Iron Key for easy use
  5. Conclusions

Overview

This document describes using and configuring an Iron Key on a Xubuntu Workstation. It explains the basics of a USB privacy key, describes how to initialize a new Iron Key on Xubuntu and provides scripts to allow you manage your Iron Key in a plug and play fashion.

Iron Key picture
Figure 1

About USB Privacy Keys

Personal USB key encryption devices are meant to be worn on your keyring. If someone uses Public-key cryptography and does not wish to leave her private key on a computer that is connected to the Internet most of the time then she can carry the key on her key ring and use it to gain access with her private key as needed. To review and emphasize what is at risk consider the following:
  1. Alice leaves her private SSH and PGP key on her workstation
  2. Bob compromises her workstation while she is away and takes both keys
  3. Bob is then able to SSH into Alice's server using her private SSH key
  4. Bob is also able to decrypt Alice's encrypted documents using her private PGP key
With a properly used Iron Key the scenario would change:
  1. Alice leaves her private SSH and PGP key on her USB key
  2. Bob compromises her workstation while she is away but is unable to find either key since they are not on the workstation
  3. Bob has not gained further access to Alice's resources
The added benefit of the Iron Key is that if Bob steals the physical key from Alice then Bob has 10 guesses at Alice's password and if he fails the device is locked forever. Iron Key's FAQ #7 claims additional benefits. The Iron Key does not cover the case that an attacker is already on your workstation while you are using it, i.e. if your key is decrypted I don't see why the attacker couldn't see it.

When attaching a USB Privacy Key to your key ring it's a good idea to use redundant rings. My Iron Key once came off in my pocket when I used only the small ring that it came with. I've since added an additional ring so that if it happens again to either ring, then the other ring will keep it attached as shown in Figure 2.

Iron Key redundantly hung
Figure 2

Plugging in a new Iron Key

Upon plugging a new Iron Key into an Ubuntu 8.04.2 worksation the device is auto-mounted to /media/IronKey as an iso9660 and contains a readme file describing how to initialize it (see also User's Guide). Within /media/IronKey/linux is a README as well as an ironkey binary:
fultonj@angmar:~> ls -lh /media/IronKey/linux/ironkey 
-r-xr-xr-x 1 fultonj root 752K 2008-04-29 16:33 /media/IronKey/linux/ironkey*
fultonj@angmar:~> 
The binary will not run (/media/IronKey/linux/ironkey: No such file or directory) on a vanilla x86_64 Ubunutu system unless you install lib32gcc1 (on Fedora, "yum install libgcc.i686 glibc.i686"). You might also have to remount the device to allow execution of the binary (mount -o remount,exec /media/cdrom0/ on Xubutnu). Once the device is mounted you can execute the binary and set the Iron Key password, then an additional vfat device is mounted:
root@angmar:~# mount | grep Iron
/dev/scd2 on /media/IronKey type iso9660 (ro,nosuid,nodev,uhelper=hal,uid=1000,utf8)
/dev/sdb on /media/IronKey USB type vfat (rw,nosuid,nodev,uhelper=hal,shortname=mixed,uid=1000,utf8,umask=077,flush)
root@angmar:~# 
root@angmar:~# df -h | tail -1
/dev/sdb              1.9G  8.0K  1.9G   1% /media/IronKey USB
root@angmar:~# 

The vfat device is the main benefit of Iron Key as you now have a secure place to store your private keys; there are no additional benefits for key management for GNU/Linux users. There are additional applications that come with an Iron Key:

but they only run on Windows. On my Iron Key I've stored my id_rsa file that I use for key-based SSH access. I like to provide this file to ssh-agent directly from the Iron Key after I plug the Iron Key in and initialize it. I'll discuss an easy way to do this by starting or stopping the Iron Key with a script and modifying your .bashrc to start the ssh-agent if and only if the Iron Key is present.

Configuring Iron Key for easy use

The following steps are required to use a private key on an Iron Key to SSH somewhere:
  1. Plug the device into the computer (mount if not auto-mounted)
  2. An ISO file should now be available so you can run the ironkey binary
  3. Run the iron key binary to access the encrypted drive (sudo ironkey)
  4. Enter the iron key password
  5. Use the encrypted drive, e.g. use your id_rsa file to SSH somewhere
  6. When you are done lock and unmount the encrypted drive (ironkey -l)
  7. Unmount the ISO device
  8. Remove the device from the computer
In short: insert it, enter a password, use it, lock it and remove it. Once you are comfortable with your Iron Key it's up to you to decide how to use it. In my case I've written a shell script that starts the device after its been automounted:
fultonj@abraxas:~> sudo iron start
[sudo] password for fultonj:
Enter your IronKey password: ***************
Unlock successful.
IronKey device names are cd: /dev/scd0 hdd: /dev/sdb
fultonj@abraxas:~> 

If you put this script somewhere in your path you should be able to run it as shown above. In my case I've saved it in /usr/local/bin/iron. Here is the script:

# Filename:                iron
# Description:             Starts IronKey
# Supported Langauge(s):   Bash 3.2.x
# Time-stamp:              <2009-05-12 15:31:10 fultonj> 
# -------------------------------------------------------
# Should be run with sudo. Tested on Xubuntu.  
# -------------------------------------------------------
# Change $ISO to location where USB ISO file is automounted 
ISO='/media/cdrom0'

function start {
  ## Start Iron Key to make id_rsa available
  # remount ISO file in execute mode
  /bin/mount -o remount,exec $ISO
  # exectue script to decrypt ironkey
  $ISO/linux/ironkey
  # wait for key to become available
  sleep 2
}

function stop {
  ## Stop SSH agent and adjust SSH
  # delete all keys if any are present
  /usr/bin/ssh-add -D
  # make sure ssh is an alias for ssh if aliased in .bashrc
  alias ssh='ssh'
  
  ## Prepare Iron Key for removal
  # lock ironkey 
  $ISO/linux/ironkey -l
  # unmount encrypted drive (if not umounted by unlock)
  /bin/umount '/media/IronKey USB' 2> /dev/null 
  # unmount ISO
  /bin/umount $ISO
}

# main
case "$1" in
'start')
  start 
;;
'stop')
  stop
;;
'restart')
  echo "Usage: $0 [start|stop]"
;;
esac

If the device is automounted you should just be able to execute the above. Then '/media/IronKey USB/id_rsa' should be available to use as your private key. You can modify your .bashrc to test for the presence of this file and if it is there, then an ssh-agent can be started and the private key can be added to it. The ssh command can also be aliased to reference the private key on the Iron Key and forward the key via the agent when SSHing to other servers. This is all by adding the following to your .bashrc:

# if there is an IronKey (adjust for your location)
if [ -f '/media/IronKey USB/id_rsa' ]; then
    echo -n "IronKey detected, starting ssh-agent... ";
    # if a variable normally set by ssh-agent is not set...
    if [ -z "$SSH_AUTH_SOCK" ]; then
	# echo "ssh-agent not running, starting ssh-agent..."
	eval `/usr/bin/ssh-agent` > /dev/null
    fi    
    # if ssh-agent started by eval above and set this variable...
    if [ -n "$SSH_AUTH_SOCK" ]; then
	echo "add private key to agent? ";
	/usr/bin/ssh-add '/media/IronKey USB/id_rsa';
	# /usr/bin/ssh-add -l 
        # be explicit about which key to use and forward it
	alias ssh="ssh -i '/media/IronKey USB/id_rsa' -A";
    fi 
fi

Conclusions

From a FOSS user's point of view the Iron Key is simply an encrypted drive which is more physically rugged than most drives you could buy. It also has nice features to allow it to withstand a physical attack. You can easily configure it on a GNU/Linux workstation but other than that it's a USB drive. When it comes to managing your PGP or SSH keys there are no built in programs on the Iron Key unless you are using Windows.